Security Bulletin: IBM Security Network Protection is affected by a NSS vulnerability (CVE-2014-3566)

Summary

A security vulnerability has been discovered in Network Security Services (NSS) used with IBM Security Network Protection. This update adds support for the TLS Fallback Signaling Cipher Suite Value (TLS_FALLBACK_SCSV), which can be used to prevent protocol downgrade attacks against applications which re-connect using a lower SSL/TLS protocol version when the initial connection indicating the highest supported protocol version fails.

Vulnerability Details

CVEID:CVE-2014-3566

**DESCRIPTION:**Multiple products could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and calculate the plaintext of secure connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Affected Products and Versions

Products: IBM Security Network Protection (XGS) models 3100, 4100, 5100, 7100
Firmware versions: 5.2 and 5.3

Remediation/Fixes

IBM has provided fixes for all supported versions. Follow the installation instructions in the README files included with the fix.

• Firmware 5.2: 5.2.0.0-ISS-XGS-All-Models-Hotfix-FP0008
• Firmware 5.3: Firmware Update 5.3.0.5 for IBM Security Network Protection products at version 5.3** **https://ibmss.flexnetoperations.com/

Workarounds and Mitigations

None