IBMFE20A5D1F4849E14D48069BAF660E8CC8F27B6E1A52250832431EA5A43960BABSecurity Bulletin: A vulnerability has been addressed in the GSKit component of IBM Security Directory Server (CVE-2016-2183)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
Summary
IBM GSKit could allow a remote attacker to obtain sensitive information, caused by an error in the DES/3DES cipher, used as a part of the SSL/TLS protocol. This vulnerability is known as the SWEET32 Birthday attack.
Vulnerability Details
CVEID: CVE-2016-2183
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the DES/3DES cipher, used as a part of the SSL/TLS protocol. By capturing large amounts of encrypted traffic between the SSL/TLS server and the client, a remote attacker able to conduct a man-in-the-middle attack could exploit this vulnerability to recover the plaintext data and obtain sensitive information. This vulnerability is known as the SWEET32 Birthday attack.
CVSS Base Score: 3.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116337> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
IBM Tivoli Directory Server 6.2 and 6.3
IBM Security Directory Server 6.3.1 and 6.4
IBM Security Directory Suite 8.0 and 8.0.1
Remediation/Fixes
Product
| APAR|V.R.M.F|Remediation
—|—|—|—
IBM Tivoli Directory Server 6.2| IO24996| 6.2.0.52| 6.2.0.52-ISS-ITDS-IF0052
IBM Tivoli Directory Server 6.3| IO24997| 6.3.0.45| 6.3.0.45-ISS-ITDS-IF0045
IBM Security Directory Server 6.3.1| IO25027| 6.3.1.20| 6.3.1.20-ISS-ISDS-IF0020
IBM Security Directory Server 6.4| IO24983| 6.4.0.11| 6.4.0.11-ISS-ISDS-IF0011
IBM Security Directory Suite 8.0|
|
| Contact IBM Support
IBM Security Directory Suite 8.0.1| IO25028| 8.0.1.1| 8.0.1.1-ISS-ISDS_20170301-2234
Workarounds and Mitigations
Use either of the following methods to disallow DES/3DES ciphers on the directory server
A) Enable FIPS mode, or
B) Remove the following ciphers from the server configuration, ibmslapd.conf:
ibm-slapdSslCipherSpec: RC4-40-MD5
ibm-slapdSslCipherSpec: RC4-128-MD5
ibm-slapdSslCipherSpec: RC4-128-SHA
ibm-slapdSslCipherSpec: RC2-40-MD5
ibm-slapdSslCipherSpec: DES-56
ibm-slapdSslCipherSpec: TripleDES-168
and set the client ciphers using the environment variable:
export LDAP_OPT_SSL_CIPHER=352F
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N