Security Bulletin: The IBM V840 product model number AE1 node is affected by a vulnerability in OpenSSL (CVE-2014-0224 = SSL/TLS MITM vulnerability)

Summary

Security vulnerability has been discovered in OpenSSL.

Vulnerability Details

**CVE-ID:**CVE-2014-0224

**DESCRIPTION:**FlashSystem V840-AE1 uses OpenSSL to protect connection from external management applications which use SMI-S to its CIM client.

Affected versions of OpenSSL do not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, a.k.a. the “CCS Injection” vulnerability.

An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.

The attack can only be performed between a vulnerable client and a vulnerable server. However, as of when this CVE was posted, all OpenSSL clients were vulnerable (i.e. in all versions of OpenSSL). And in code levels before 1.1.2.0, the FlashSystem 840 has a vulnerable OpenSSL server.

CVSS v2 Base Score: 6.8
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/93586&gt;
CVSS Vector: (AV:N/AC:M/AU:N/C:P/I:P/A:P)

Affected Products and Versions

_FlashSystem V840 including machine type models (all available code levels) _
9846-AE1 & 9848-AE1

Remediation/Fixes

Products

| VRMF| APAR| Remediation/First Fix
—|—|—|—
9846-AE1,
9848-AE1,| A code fix is now available, the VRMF of this code level is 1.1.2.2| N/A| _The recommended remediation is to apply this code fix for this OpenSSL vulnerability. _

Workarounds and Mitigations

A user could potentially restrict his network so that there is no opportunity for an attacker to insert himself as man-in-the-middle.