Lucene search

K
ibmIBM93AB36DA337BD0948599C903BE961AACA714BA542798E8A1A52B5604155A59E7
HistoryDec 15, 2021 - 6:05 p.m.

Security Bulletin:TLS Protocol 64-bit Cipher Vulnerability in Multiple N series Products (CVE-2016-2183)

2021-12-1518:05:07
www.ibm.com
13

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.005 Low

EPSS

Percentile

74.8%

Summary

Multiple N series products utilize the TLS protocol. Any system using the TLS protocol with 64-bit block ciphers that are used in long running connections are vulnerable to a birthday attack referred to as SWEET32. When exploited, the vulnerability may lead to the unauthorized disclosure of information. Multiple N series Products have addressed the applicable CVE.

Vulnerability Details

CVEID: CVE-2016-2183**
DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the DES/3DES cipher, used as a part of the SSL/TLS protocol. By capturing large amounts of encrypted traffic between the SSL/TLS server and the client, a remote attacker able to conduct a man-in-the-middle attack could exploit this vulnerability to recover the plaintext data and obtain sensitive information. This vulnerability is known as the SWEET32 Birthday attack.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116337 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Data ONTAP operating in 7-Mode: 8.2.1, 8.2.2, 8.2.3, 8.2.4;
N series Snap Creator Framework: 4.3;
N series System Setup: 1.2, 2.3;
SnapDrive for Unix: 5.3;
SnapDrive for Windows: 7.1.1, 7.1.2, 7.1.3;
Virtual Storage Console for VMware vSphere: 6.2;

Remediation/Fixes

For Data ONTAP operating in 7-Mode: the fix exists from microcode version 8.2.5;
For N series Snap Creator Framework: the fix exists from microcode version 4.3.1;
For SnapDrive for Unix: the fix exists from microcode version 5.3.1;
For SnapDrive for Windows: the fix exists from microcode version 7.1.4;
For Virtual Storage Console for VMware vSphere: the fix exists from microcode version 6.2.1;
Please contact IBM support or go to this link to download a supported release.

Workarounds and Mitigations

For customers who are using N series System Setup, please disable the 3DES and DES ciphers using <https://support.microsoft.com/en-in/kb/245030&gt;.

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.005 Low

EPSS

Percentile

74.8%

Related for 93AB36DA337BD0948599C903BE961AACA714BA542798E8A1A52B5604155A59E7