Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Sterling Connect:Direct for UNIX (CVE-2015-7575)

Summary

The MD5 “SLOTH” vulnerability on TLS 1.2 affects IBM Sterling Connect:Direct for UNIX.

Vulnerability Details

CVEID: CVE-2015-7575 DESCRIPTION: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109415 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)

Affected Products and Versions

IBM Sterling Connect:Direct for Unix 4.1.0
IBM Sterling Connect:Direct for Unix 4.0.0

Remediation/Fixes

V.R.M.F

| APAR| Remediation/First Fix
—|—|—
4.1.0| IT02558| Apply 4.1.0.4 iFix 027 or later, available on Fix Central
4.0.0| IT02558| Apply 4.0.00 Fix 114 or later, available on IWM
For older versions/releases IBM recommends upgrading to a fixed, supported version/release of the product.

Workarounds and Mitigations

For each record listed in the C:D Secure+ Admin Tool, go to its TLS/SSL Protocol > TLS/SSL Options tab and remove any cipher suites listed as Enabled that use MD5 signatures.

You should verify applying this configuration change does not cause any compatibility issues. Not disabling the MD5 signature hash will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the MD5 signature hash and take appropriate mitigation and remediation actions.