Security Bulletin: Four (4) Vulnerabilities in OpenSSL affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems ( CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, and CVE-2014-3568)

Summary

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL),
Transport Layer Security (TLS), and Datagram Transport Layer Security
(DTLS) protocols which is used by IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems. OpenSSL had a vulnerability which allowed forceful downgrade of the communication to SSL 3.0, which is vulnerable to the padding oracle
Attack, when using block cipher suites in cipher block chaining (CBC) mode. This attack on SSL 3.0’s CBC mode is also known under the alias POODLE. SSL 3.0 itself is no longer being updated, thus it is recommended that users configure their applications to require at least TLS protocol version 1.0 for secure communication.

Vulnerability Details

1. CVE-ID: CVE-2014-3513
DESCRIPTION: OpenSSL DTLS SRTP denial of service. OpenSSL is vulnerable to a denial of service, caused by a memory leak in the DTLS Secure Real-time Transport Protocol (SRTP) extension parsing code. By sending multiple specially-crafted handshake messages, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server.
CVSS Base Score: 5.0
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/97035 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

2. CVE-ID: CVE-2014-3566 DESCRIPTION: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

3. CVE-ID: CVE-2014-3567 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a memory leak when handling failed session ticket integrity checks. By sending an overly large number of invalid session tickets, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server in a Denial of Service attack.
CVSS Base Score: 5.0
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/97036 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

4. CVE-ID: CVE-2014-3568 DESCRIPTION: OpenSSL could allow a remote attacker bypass security restrictions. When configured with “no-ssl3” as a build option, servers could accept and complete a SSL 3.0 handshake. An attacker could exploit this vulnerability to perform unauthorized actions.
CVSS Base Score: 2.6
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/97037 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM FlashSystem 710 & 810, Machine Type 9830, models -AS1 & -AE1
· all supported releases before 5.6.2

TMS RAMSAN 710 & 810, Machine Type 9833, models -AS1 & -AE1
· all supported releases before 5.6.2

IBM FlashSystem 720 & 820, Machine Type 9831, models –AS2 & -AE2
· all supported releases before 6.3.2

TMS RAMSAN 710 & 810, Machine Type 9834, models -AS1 & -AE1
· all supported releases before 6.3.2

Remediation/Fixes

IBM recommends that you fix this vulnerability by promptly upgrading affected versions of IBM FlashSystem systems to the following code level or higher:

for 710 and 810, machine type 9830, models –AS1 & -AE1: 5.6.2
for 720 and 820, machine type 9831, models -AS2 & AE2: 6.3.2

IBM recommends that you fix this vulnerability by promptly upgrading affected versions of TMS RAMSAN systems to the following code level or higher:

for 710 and 810, machine type 9833, models –AS1 & -AE1: 5.6.2
for 720 and 820, machine type 9834, models -AS2 & AE2: 6.3.2

In addition, IBM recommends that you review your entire environment to identify vulnerable releases of OpenSSL in other (e.g. non-IBM products and versions) including in your Operating Systems and take appropriate mitigation and remediation actions. Please contact your Operating System provider for more information.

Workarounds and Mitigations

None known