Security Bulletin: Vulnerabilities in OpenSSL affect System x Integrated Management Module (IMM) (CVE-2015-0204, CVE-2014-3570, CVE-2014-3572, CVE-2014-8275)

Summary

OpenSSL vulnerabilities were disclosed on January 8, 2015 by the
OpenSSL Project. This includes “FREAK: Factoring Attack on
RSA-EXPORT keys” TLS/SSL client and server vulnerability. OpenSSL
is used by System x Integrated Management Module (IMM). IMM has
addressed the applicable CVEs.

Vulnerability Details

Summary

OpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes “FREAK: Factoring Attack on RSA-EXPORT keys” TLS/SSL client and server vulnerability. OpenSSL is used by System x Integrated Management Module (IMM). IMM has addressed the applicable CVEs.

Vulnerability Details:

CVE-ID: CVE-2015-0204

Description: A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.

CVSS Base Score: 4.3
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99707&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE-ID: CVE-2014-3570

Description: An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact.

CVSS Base Score: 2.6
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99710&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

CVE-ID: CVE-2014-3572

Description: OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system.

CVSS Base Score: 1.2
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99705&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)

CVE-ID: CVE-2014-8275

Description: OpenSSL could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. An attacker could exploit this vulnerability using non-DER or invalid encodings outside the signed portion of a certificate bypass security restrictions and perform unauthorized actions.

CVSS Base Score: 1.2
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99709&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)

Affected products and versions

The following IMM code levels may exhibit this issue:

• All versions 1.00 to 1.47

The following platforms may be affected:

• System x3500 M2, Type 7839, any model
• System x3500 M3, Type 7380, any model
• System x3550 M2, Type 4198, any model
• System x3550 M2, Type 7946, any model
• System x3550 M3, Type 4254, any model
• System x3550 M3, Type 7944, any model
• System x3630 M3, Type 7377, any model
• System x3650 M2, Type 4199, any model
• System x3650 M2, Type 7947, any model
• System x3650 M3, Type 4255, any model
• System x3650 M3, Type 5454, any model
• System x3650 M3, Type 7945, any model
• System x3690 X5, Type 7147, any model
• System x3690 X5, Type 7148, any model
• System x3690 X5, Type 7149, any model
• System x3690 X5, Type 7192, any model
• System x3850 X5, Type 7143, any model
• System x3850 X5, Type 7145, any model
• System x3850 X5, Type 7146, any model
• System x3850 X5, Type 7191, any model
• System x3950 X5, Type 7143, any model
• System x3950 X5, Type 7145, any model
• System x iDataPlex dx360 M2, Types 6380, any model
• System x iDataPlex dx360 M2, Types 7321, any model
• System x iDataPlex dx360 M2, Types 7323, any model
• System x iDataPlex dx360 M3, Types 6391, any model

Remediation/Fixes:

It’s recommended to update IMM to version 1.48 YUOOG8C or later. Firmware updates are available through IBM Fix Central - <http://www.ibm.com/support/fixcentral/&gt; .

Workaround(s) & Mitigation(s):

Disable the EXPORT cipher suites in the LDAP server side that is used by IMM.