Security Bulletin: CVE-2016-0800 SSLv2 Vulnerability in Multiple N series Products

Summary

Multiple N series products incorporate the OpenSSL software libraries to provide cryptographic capabilities. OpenSSL versions below 1.0.2h and 1.0.1t are susceptible to vulnerabilities that could lead to out-of-bound writes, heap corruption, man-in-the-middle attacks, memory exhaustion, or arbitrary information disclosure. Multiple N series Products have addressed the applicable CVE.

Vulnerability Details

CVEID: CVE-2016-0800**
DESCRIPTION:** OpenSSL could allow a remote attacker to bypass security restrictions. By using a server that supports SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle, an attacker could exploit this vulnerability to decrypt TLS sessions between clients and non-vulnerable servers. This vulnerability is also known as the DROWN attack.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111139 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

Data ONTAP operating in 7-Mode: 8.2.1, 8.2.2, 8.2.3, 8.2.4;
N series Snap Creator Framework: 4.1.0, 4.1.2, 4.3;
SnapDrive for Unix: 5.2, 5.2.2, 5.3;
SnapDrive for Windows: 7.1.1, 7.1.2, 7.1.3;

Remediation/Fixes

For N series Snap Creator Framework: the fix exists from microcode version 4.3.1;
For SnapDrive for Unix: the fix exists from microcode version 5.3.1;
For SnapDrive for Windows: the fix exists from microcode version 7.1.4;
Please contact IBM support or go to this link to download a supported release.

Workarounds and Mitigations

For customers who are using Data ONTAP operating in 7-Mode, please enable TLS then disable SSLv2 and v3 in ONTAP by below method.
TLS is disabled by default and must be enabled prior to disabling SSL to ensure uninterrupted secure communication.
DataMotion for vFiler REQUIRESthat SSLv3 be enabled - enabling only TLSv1 will prevent secure DataMotion from succeeding.
1. Enable TLS using the Data ONTAP command line interface:`
controller1> options tls.enable
tls.enable off

controller1> options tls.enable on

controller1> options tls.enable
tls.enable on ** Note:** If the errorCould not set option for https/ftps traffic. Try againis reported while enabling TLS, run thesecureadmin setup -f ssl` command and then attempt to enable TLS again.

2. Disable only SSLv2 and v3 using the Data ONTAP command line interface:`
controller1> options ssl
ssl.enable on
ssl.v2.enable on
ssl.v3.enable on

controller1> options ssl.v3.enable off
controller1> options ssl.v2.enable off

controller1> options ssl
ssl.enable on <<<< THIS MUST REMAIN ON FOR TLS TO WORK
ssl.v2.enable off
ssl.v3.enable off ** Note:** Even though thehttpdandldapoptions mention SSL, they will use TLS when theSSLv2andSSLv3` options are disabled.