Lucene search

K
ibmIBM67EF437A7EE9F806664D3B7FEB18353C77D537D23FE902D56CE220B1302C1BDA
HistoryJun 16, 2018 - 9:22 p.m.

Security Bulletin: IBM Security Network Protection is affected by OpenSSL vulnerabilities (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, and CVE-2015-0206)

2018-06-1621:22:25
www.ibm.com
7

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

Summary

Security vulnerabilities have been discovered in OpenSSL used with IBM Security Network Protection.

Vulnerability Details

CVEID:CVE-2014-3569

**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle attempts to use unsupported protocols by the ssl23_get_client_hello function in s23_srvr.c. A remote attacker could exploit this vulnerability using an unexpected handshake to trigger a NULL pointer dereference and cause the daemon to crash.

CVSS Base Score: 5.0
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/99706 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

CVEID:CVE-2014-3570

**DESCRIPTION:**An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact.

CVSS Base Score: 2.6
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/99710 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N

CVEID:CVE-2014-3571

**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when handling malicious messages. By sending a specially-crafted DTLS message, a remote attacker could exploit this vulnerability to cause a segmentation fault.

CVSS Base Score: 5.0
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/99703 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

CVEID:CVE-2014-3572

**DESCRIPTION:**OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system.

CVSS Base Score: 1.2
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/99705 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:L/AC:H/Au:N/C:N/I:P/A:N

CVEID:CVE-2014-8275

**DESCRIPTION:**OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions.

CVSS Base Score: 1.2
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/99709 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:L/AC:H/Au:N/C:N/I:P/A:N

CVEID:CVE-2015-0204

**DESCRIPTION:**OpenSSL could provide weaker than expected security. The client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. An attacker could exploit this vulnerability to launch further attacks on the system.

CVSS Base Score: 1.2
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/99707 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:L/AC:H/Au:N/C:N/I:P/A:N

CVEID:CVE-2015-0205

**DESCRIPTION:**OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification. An attacker could exploit this vulnerability to authenticate without the use of a private key.

CVSS Base Score: 2.1
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/99708 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:H/Au:S/C:N/I:P/A:N

CVEID:CVE-2015-0206

**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a memory leak in the dtls1_buffer_record function. By sending repeated DTLS records with the same sequence number, a remote attacker could exploit this vulnerability to exhaust all available memory resources.

CVSS Base Score: 5.0
CVSS Temporal Score: Seehttps://exchange.xforce.ibmcloud.com/vulnerabilities/99704 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Affected Products and Versions

Products: IBM Security Network Protection (XGS) models 3100, 4100, 5100, 7100
Firmware versions: 5.2, 5.3

Remediation/Fixes

IBM has provided fixes for all supported versions. Follow the installation instructions in the README files included with the fix.

Workarounds and Mitigations

None

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

Related for 67EF437A7EE9F806664D3B7FEB18353C77D537D23FE902D56CE220B1302C1BDA