Security Bulletin: Vulnerability in RC4 stream cipher affects IBM i (CVE-2015-2808)

Summary

The RC4 “Bar Mitzvah” Attack for SSL/TLS affects IBM i

Vulnerability Details

CVEID: CVE-2015-2808 DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as “Bar Mitzvah Attack”.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Releases 6.1, 7.1 and 7.2 of IBM i are affected.

Remediation/Fixes

None

Workarounds and Mitigations

Remediation/Fixes

*Note- 07/22/15 There has been an update to this document to include PTF’s to fix an empty default cipher suite list

*Note- 07/10/15 There has been an update to this document to include PTF’s to disable RC4 from the default list

The issue can be fixed for some applications by applying PTF’s to IBM i. For the remaining applications, follow the steps in the Workarounds and Mitigations section.
Releases 6.1, 7.1 and 7.2 of IBM i are supported and will be fixed. Releases V4R1, V4R2, V4R3, V4R4, V5R1, V5R2, V5R3 and V5R4 are unsupported and will not be fixed.

The IBM i PTF numbers are:

IBM i OS and options:

Release 6.1 – SI57357, MF60331, MF60429

Release 6.1.1 - SI57357, MF60338, MF60431
Release 7.1 – SI57332, MF60335, MF60430
Release 7.2 – SI57320, MF60333, MF60334, MF60432

You should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.

Mitigation instructions for IBM i:

There are at least four different SSL implementations used on IBM i.

- IBM i System SSL
- OpenSSL in PASE
- IBMJSSE2 – The default Java JSSE implementation
- Domino – contains an embedded SSL implementation. Also uses System SSL in some configurations.
- Other – Any 3rd party application could include an internal SSL implementation

IBM i System SSL

IBM i System SSL is a set of generic services provided in the IBM i Licensed Internal Code (LIC) to protect TCP/IP communications using the SSL/TLS protocol.

System SSL is accessible to application developers from the following programming interfaces and JSSE implementation:

 Global Security Kit (GSKit) APIs

 Integrated IBM i SSL_ APIs
 Integrated IBM i JSSE implementation (IBMi5OSJSSEProvider)

SSL applications created by IBM, IBM business partners, independent software vendors (ISV), or customers that use one of the three System SSL interfaces listed above will use System SSL. For example, FTP and Telnet are IBM applications that use System SSL. Not all SSL enabled applications running on IBM i use System SSL.

System SSL supports and uses by default up to five RC4 cipher suites based on release level.

*ECDHE_ECDSA_RC4_128_SHA (default in 7.2 *TLSV1.2)

*ECDHE_RSA_RC4_128_SHA (default in 7.2 *TLSV1.2)
*RSA_RC4_128_SHA (default in 6.1/7.1/7.2 All protocol versions)
*RSA_RC4_128_MD5 (default in 6.1/7.1 All protocol versions)
*RSA_EXPORT_RC4_40_MD5 (not default. *TLSV1 and *SSLV3)

The application developer determines which cipher suites/algorithms are supported by the application when it is designed.
 Some applications expose the cipher suite configuration to the end user. For those applications RC4 can be disabled through that application specific configuration.
 Many applications do not provide a configuration option for controlling the cipher suites. It is difficult to determine if these applications support RC4.
 Many applications use the System SSL default cipher suites such as FTP and Telnet.

After loading the System SSL fixes listed in this bulletin, applications coded to use the default values will no longer negotiate the use of RC4 cipher suites with peers.
If RC4 support is required by peers of such an application after this PTF is applied, the values can be added back to the System SSL eligible default cipher suite list using System Service Tools (SST) Advanced Analysis Command SSLCONFIG. To change the System SSL settings with the Start System Service Tools (STRSST)
command, follow these steps:

1. Open a character based interface.
2. On the command line, type STRSST.
3. Type your service tools user name and password.
4. Select option 1 (Start a service tool).
5. Select option 4 (Display/Alter/Dump).
6. Select option 1 (Display/Alter storage).
7. Select option 2 (Licensed Internal Code (LIC) data).
8. Select option 14 (Advanced analysis).
9. Select option 1 (SSLCONFIG).
10. Enter -h

This will show the help screen that describes the input strings to change the new System SSL setting for –eligibleDefaultCipherSuites.

System SSL’s support of RC4 can be completely disabled at the system level using the system value QSSLCSL. In this case, RC4 is disabled for all applications including those with user configuration available for cipher suites.

How to change the QSSLCSL system value:

From a 5250 command line:

WRKSYSVAL SYSVAL(QSSLCSLCTL)

 Enter 5 to display QSSLCSLCTL: This will display one of two things:

 *OPSYS: Which indicates QSSLCSL is controlled by the OS.
 *USRDFN: Which indicates QSSLCSL is editable and controlled by the user.
 If current value is *OPSYS; Enter 2 to edit QSSLCSLCTL: *OPSYS is the default value. Change the value to *USRDFN.

WRKSYSVAL SYSVAL(QSSLCSL)

 Enter 5 to display QSSLCSL: This will display the current ordered list of cipher suites.

 If a cipher suite is in the list that contains the RC4 keyword; Enter 2 to edit QSSLCSL:

 To remove a cipher suite, space over cipher suite name. Press Enter.

QSSLCSL value recommendation at the time of publish by release:

R720

*ECDHE_ECDSA_AES_128_GCM_SHA256

*ECDHE_ECDSA_AES_256_GCM_SHA384
*ECDHE_RSA_AES_128_GCM_SHA256
*ECDHE_RSA_AES_256_GCM_SHA384
*RSA_AES_128_GCM_SHA256
*RSA_AES_256_GCM_SHA384
*ECDHE_ECDSA_AES_128_CBC_SHA256
*ECDHE_ECDSA_AES_256_CBC_SHA384
*ECDHE_RSA_AES_128_CBC_SHA256
*ECDHE_RSA_AES_256_CBC_SHA384
*RSA_AES_128_CBC_SHA256
*RSA_AES_128_CBC_SHA
*RSA_AES_256_CBC_SHA256
*RSA_AES_256_CBC_SHA
*ECDHE_ECDSA_3DES_EDE_CBC_SHA
*ECDHE_RSA_3DES_EDE_CBC_SHA
*RSA_3DES_EDE_CBC_SHA

R710

*RSA_AES_128_CBC_SHA256 (requires TR6 or later is installed and *TLSv1.2)

*RSA_AES_128_CBC_SHA
*RSA_AES_256_CBC_SHA256 (requires TR6 or later is installed and *TLSv1.2)
*RSA_AES_256_CBC_SHA
*RSA_3DES_EDE_CBC_SHA

_R611 / R610 _

*RSA_AES_128_CBC_SHA

*RSA_AES_256_CBC_SHA
*RSA_3DES_EDE_CBC_SHA

Application configuration through Digital Certificate Manager (DCM)

7.1 TR6 and 7.2 have DCM options for controlling the cipher suites used for specific applications such as Telnet and FTP. Applications with a DCM application definition can use the DCM Update Application Definition panel to configure which cipher suites are supported by the application. If the DCM value includes a cipher suite disabled by QSSLCSL, that cipher suite value will silently be discarded by System SSL.

For IBM HTTP Server for i, the cipher suite version cannot be controlled by the DCM application ID.

_IBM HTTP Server for i _

The following three HTTP Server directives can be used to specify ciphers to be used during SSL handshake.

SSLCipherSpec
SSLProxyCipherSpec
SSLCipherRequire

See http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_72/rzaie/rzaiemod_ibm_ssl.htm?lang=en for the usage of the 3 directives

If none of the three directives is specified in HTTP server configuration file (httpd.conf), HTTP server will use the System SSL default cipher suite list. In this case, modify system value QSSLCSL to remove all RC4 cipher suite values.

If any of the three directives are specified in HTTP server configuration file (httpd.conf), remove all RC4 ciphers from the directives.

Note:

HTTP server supports both a long name and a short name for some ciphers. All RC4 ciphers in either long name or short name format must be removed. For example, these two directives both refer to cipher *RSA_RC4_128_MD5.

SSLCipherSpec TLS_RSA_WITH_RC4_128_MD5
SSLCipherSpec 34

The full short name and long name mapping table is located in knowledge center: http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_72/rzaie/rzaiemod_ibm_ssl.htm?lang=en

An abridged HTTP mapping for the RC4 ciphers is included here for convenience.

Short Name	Long Name
34	TLS_RSA_WITH_RC4_128_MD5
35	TLS_RSA_WITH_RC4_128_SHA
N/A	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
N/A	TLS_ECDHE_RSA_WITH_RC4_128_SHA

IBM Collaboration Solutions (formerly Lotus software)

The native Domino SSL stack includes RC4 ciphers in the default cipher list.

RC4 ciphers can be disabled explicitly by removing them from the SSLCipherSpec notes.ini file setting. Please refer to these links for information on how to configure the SSLCipherSpec setting.

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration

http://www-01.ibm.com/support/docview.wss?uid=swg21254333

If Domino HTTP is using the System SSL stack then follow the System SSL instructions for disabling RC4 cipher suites.

WebSphere Application Server

The RC4 “Bar Mitzvah” for SSL/TLS may affect some configurations of WebSphere Application Server. NOTE: If you are configured for FIPS140-2, Suite B or SP800-131 in your Security>SSL certificate and key management then you are not affected by this vulnerability or your SSL communication for Liberty.

Refer to Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Application Server (CVE-2015-2808) http://www.ibm.com/support/docview.wss?uid=swg21701503&myns=swgws&mynp=OCSSEQTP&mync=E&cm_sp=swgws--OCSSEQTP--E

OpenSSL

RC4 ciphers are supported by OpenSSL. If you have an OpenSSL application you will need to disable RC4 programmatically.

Use SSL_CTX_set_cipher_list() or**SSL_set_cipher_list() **to specify a cipher list that does not contain the RC4 ciphers.

See http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html

Checking the ciphers configured can be done programmatically using SSL_get_cipher_list()

See http://www.openssl.org/docs/ssl/SSL_get_ciphers.html

Potential Issues

Some customers find that one or more peer systems they communicate with only support or otherwise require RC4 cipher suites. Connections with those peer systems will no longer work after disabling RC4 cipher suites. For business critical connections that must continue to happen, RC4 cipher suites will have to remain enabled until that peer can upgrade to support AES cipher suites. In those cases the administrator can disable RC4 cipher suites on an application by application basis where cipher suite configuration exists. If RC4 must remain enabled, the RC4 cipher suite should be placed at the end of the list of cipher suites. This will result in RC4 only being selected if the peer does not support any of the cipher suites located higher up in the list.

How to determine if RC4 cipher suites are being negotiated by System_ _SSL****_ _

There is no easy way to determine this. A trace active at the time the secure connection is made is required. Refer to the following Technote for PTF numbers and instructions:

How to determine the SSL protocol and cipher suite used for each System SSL connection to the IBM i

http://www-01.ibm.com/support/docview.wss?uid=nas8N1020594