Security Bulletin: Vulnerability in Transport Layer Security Protocol Used in IBM System Networking Ethernet Switches (CVE-2011-3389)

Summary

Earlier versions of the Transport Layer Security (TLS) protocol are affected by a publicly disclosed vulnerability that could allow information disclosure if an attacker is carrying out a man-in-the-middle attack. Customers can avoid the vulnerability byfollowing workarounds recommended by IBM.

Vulnerability Details

Abstract

Earlier versions of the Transport Layer Security (TLS) protocol are affected by a publicly disclosed vulnerability that could allow information disclosure if an attacker is carrying out a man-in-the-middle attack.
Customers can avoid the vulnerability by following workarounds recommended by IBM.

Content

VULNERABILITY DETAILS:

CVE ID: CVE-2011-3389

DESCRIPTION:

A potential vulnerability has been identified in older versions of the Transport Layer Security (TLS, formerly known as Secure Socket Layer or SSL) protocol that may be utilized by the Browser-Based Interface (BBI) feature in IBM Networking Operating System (NOS) (formerly known as BLADE Operating System). NOS runs on IBM System Networking Ethernet switches (as well as legacy Blade Network Technology (BNT) Ethernet switches). Because BBI is the only feature in NOS to use the TLS protocol as of the date of this bulletin, Customers who do not run BBI on their IBM Ethernet switches are not impacted by this vulnerability. It is possible that future NOS features could use TLS protocols; there are instructions on how to avoid the vulnerability in such situations in the “Workaround” section below.

This attack against the TLS protocol is also known as BEAST, and it exploits the use of chained initialization vectors in early versions of the protocol. A remote attacker could exploit this vulnerability using man-in-the-middle techniques to decrypt TLS sessions and obtain sensitive information such as user authentication cookies that could be further leveraged to obtain sensitive information such as account credentials. The attack does not require local network access or physical access to the network and is therefore remotely exploitable, but specialized knowledge and techniques are required to execute this attack. A successful exploit will not impact integrity or availability of transmitted data, but the confidentiality of network traffic may be affected, although the attacker would not be able to control what data are accessed.

SSLv3 and TLS 1.0 are the older versions of this protocol that are susceptible to this vulnerability; newer versions of TLS – 1.1 and 1.2 – are not. IBM NOS has supported TLS 1.1 and 1.2 since NOS version 6.7, but even these recent versions of NOS continue to support SSLv3 and TLS 1.0 as well. Therefore, even recent versions of NOS that support TLS 1.1 and 1.2 may be susceptible to this vulnerability if a user uses the switch to communicate with TLS peers that only support the older vulnerable versions of the protocol.

CVSS v2 Base Score: 4.3 CVSS Environmental Score:* Undefined

CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

AFFECTED PRODUCTS AND VERSIONS:

This vulnerability potentially affects all IBM System Networking Ethernet switches and legacy BNT Ethernet switches (including those used in IBM Flex Systems and IBM BladeCenter products). This includes versions and releases that are no longer in support.

REMEDIATION:

None.

WORKAROUND:

Customers can avoid this vulnerability altogether by not using the BBI feature on their IBM Ethernet switches; instead, customers would use Secure Shell (SSH) to administer the device via command line. IBM recommends that customers running versions of NOS that are older than NOS 6.7 not use BBI, as those versions of NOS do not support TLS 1.1 and 1.2. IBM recommends that customers running NOS 6.7 or later on their IBM Ethernet switches who want to continue using BBI do so to communicate only with Web browsers that also support TLS 1.1 and 1.2. Similarly, to the extent any future NOS features use the TLS protocol, IBM recommends that customers use those features only to communicate with TLS peers that also support TLS 1.1 and 1.2.

MITIGATION:

None.

REFERENCES:

• Complete CVSS Guide
• On-line Calculator V2
• CVE-2011-3389
• X-Force Vulnerability Database

RELATED INFORMATION: _ IBM Secure Engineering Web Portal_
IBM Product Security Incident Response Blog

CHANGE HISTORY:

<October 10, 2013>: Original Copy Published.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.