IBMDCDB6EA346DCAA8866D2DBE2D261DF12A599850328EA9E684CDBA078BDF350A0Security Bulletin: OpenSSL vulnerability in IBM SAN Volume Controller and Lenovo Storwize Family (CVE-2014-0224)
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.974 High
EPSS
Percentile
99.9%
Summary
An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.
Vulnerability Details
Security Bulletin
Summary
Security vulnerability in OpenSSL
Vulnerability Details
CVE ID: CVE-2014-0224 DESCRIPTION: SSL/TLS MITM vulnerability
An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.
The attack can only be performed between a vulnerable client and server. OpenSSL clients are vulnerable in all versions of OpenSSL. SVC and Storwize systems use OpenSSL server functionality and some versions are vulnerable (see below).
CVE-2014-0224
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93586 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
Affected Products and Versions
- IBM SAN Volume Controller
- Storwize V7000 for Lenovo
- Storwize V5000 for Lenovo
- Storwize V3700 for Lenovo
- Storwize V3500 for Lenovo
All products are affected when running code releases 6.4, 7.1, 7.2 and 7.3 except for versions 6.4.1.10, 7.1.0.10, 7.2.0.7 or 7.3.0.3 and above.
Remediation/Fixes
For IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500, install the following code levels or higher:
- 7.1.0.10
- 7.2.0.7
- 7.3.0.3
Get the latest
- Latest SAN Volume Controller Code
- Latest Storwize V7000 Code
- Latest Storwize V5000 Code
- Latest Storwize V3700 Code
- Latest Storwize V3500 Code
Workarounds and Mitigations
Ensure that all users who have access to the system are authenticated by another security system such as a firewall.
Related
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.974 High
EPSS
Percentile
99.9%