Security Bulletin: CBC mode ciphers, weak MD5 and MAC algorithms vulnerabilities in OpenSSH affect IBM Security Network Protection (CVE-2008-5161)

Summary

CBC mode ciphers, weak MD5 and MAC algorithms vulnerabilities have been discovered in OpenSSH used with IBM Security Network Protection. These vulnerabilities have been addressed in the firmware versions below.

Vulnerability Details

CVEID: CVE-2008-5161**
DESCRIPTION:** OpenSSH and multiple SSH Tectia products could allow a remote attacker to obtain sensitive information, caused by the improper handling of errors within an SSH session which is encrypted with a block cipher algorithm in CBC mode. A remote attacker with read and write access to network data could exploit this vulnerability to display plaintext bits from a block of ciphertext and obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/46620 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
**
SYNOPSIS**: OpenSSH is configured to allow MD5 and 96-bit MAC algorithms in IBM Security Network Protection.**
DESCRIPTION**: OpenSSH server in IBM Security Network Protection is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.

Affected Products and Versions

IBM Security Network Protection 5.3.1
IBM Security Network Protection 5.3.2

Remediation/Fixes

Product

| VRMF| Remediation/First Fix
—|—|—
IBM Security Network Protection| Firmware version 5.3.1| Download Firmware 5.3.1.7 from IBM Security License Key and Download Center and upload and install via the Available Updates page of the Local Management Interface.
IBM Security Network Protection| Firmware version 5.3.2| Install Firmware 5.3.2.1 from the Available Updates page of the Local Management Interface, or by performing a One Time Scheduled Installation from SiteProtector.

Workarounds and Mitigations

None