Security Bulletin: Sweet32 vulnerability that impacts Triple DES cipher affects Communications Server for Data Center Deployment, Communications Server for AIX, Linux, Linux on System z, and Windows (CVE-2016-2183)

Security Bulletin

Summary

Sweet32 exposes a problem in the Triple DES algothorim for sessions that receive more than 2 GBytes of data on an encrypted session. Once beyond that amount of data, the algorithm allows for a
intrusion that can be more easily decrypted.

Vulnerability Details

CVEID: CVE-2016-2183
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the in the Triple-DES on 64-bit block cipher, used as a part of the SSL/TLS protocol. By capturing large amounts of encrypted traffic between the SSL/TLS server and the client, a remote attacker able to conduct a man-in-the-middle attack could exploit this vulnerability to recover the plaintext data and obtain sensitive information. This vulnerability is known as the SWEET32 Birthday attack.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116337 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

This problem affects the following distributed Communications Server products:

5725H32 - Communications Server for Data Center Deployment, V7.0
5765E51 - Communications Server for AIX, V6.4
5724I33 - Communications Server for Linux, V6.4
5724I34 - Communications Server for Linux on System z, V6.4

5639F25 - Communications Server for Windows, V6.4, V6.1.3

Remediation/Fixes

The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical. Visit Fix Central to find these APARs (under Other Software brand).

Product ID Product name
------------- --------------------
5725H32 Communications Server for Data Center Deployment 7.0
- apply APAR IV07799 for AIX platforms
- - Package on Fix Central:
OS-GSKIT8-70-SWEET32-7003-AIX-UPDATE

- apply APAR LI79293 for Linux platforms
- - Package on Fix Central:
OS-GSKIT8-70-SWEET32-7003-I686-LINUX
OS-GSKIT8-70-SWEET32-7003-PPC64-LINUX
OS-GSKIT8-70-SWEET32-7003-S390X-LINUX
OS-GSKIT8-70-SWEET32-7003-X86_64-LINUX

5765E51 Communications Server for AIX V6.4
- - apply APAR IV91306 for level 6.4.0.7 on AIX platform
- - Package on Fix Central:
OS-GSKIT8-70-SWEET32-6407-AIX-UPDATE

5724I33 Communications Server for Linux V6.4
- - apply APAR LI79296 for level 6.4.0.7 on Linux platform
- - Packages on Fix Central:
OS-GSKIT8-70-SWEET32-6407-X86_64-LINUX
OS-GSKIT8-70-SWEET32-6407-PPC64-LINUX
OS-GSKIT8-70-SWEET32-6407-X86_64-LINUX

5724I34 Communications Server for Linux on System z V6.4
- - apply APAR LI79299 for level 6.4.0.7 on Linux platform
- - Package on Fix Central:
OS-GSKIT8-70-SWEET32-6407-S390X-LINUX

5639F25 Communications Server for Windows V6.4 , V6.1.3
- apply APAR JR57102 for level 6.4.0.7 on Windows plaform
- - Package on Fix Central:
OS-GSKIT8-70-SWEET32-6407-WINDOWS-UPDATE

- apply APAR JR57103 for level 6.1.3.5 on Windows plaform
- - Package on Fix Central:
OS-GSKIT7-5-9-SWEET32-6135-WINDOWS-UPDATE

For previous versions of Communications Server for AIX, V6.3, we recommend you upgrade to Communications Server for Data Center Deployment, V7.

For previous versions of Communications Server for Linux, V6.2, we recommend you upgrade to Communications Server for Data Center Deployment, V7.

For previous versions of Communications Server for Linux on System z, V6.2, we recommend you upgrade to Communications Server for Data Center Deployment, V7.

For previous versions of Communications Server for Windows, V6.1.2, we recommend you upgrade to Communications Server for Windows, V6.4.

Once this fix is applied, if the secure socket connection supporting the TN3270 session receives more than 2 GBytes, the session will be disconnected with an error code:

Example: On a CS Linux server, there error message will look like this:

O/S send call failed with error code 0x01bd.

Where the 0x01bd is a hex 445, which is GSK error: GSK_ERROR_BYTECOUNT_EXHAUSTED

Workarounds and Mitigations

For Communications Server for Data Center Deployment, V7, Communications Server for AIX, V6.4, Communications Server for Linux V6.4, Communications Server for Linux on System z, V6.4, Communications Server for Windows, V6.4, and Communications Server for Windows, V6.1.3 you can mitigate this vulnerability by limiting the amount of data on a TN3270 SSL session to no more than 2 GBytes. TN3270 sessions normally do not stay active long enough have this amount of data received on a socket session. If a secure session could be active for months at a time or the session is used to do file transfers, then upgrade the product with this APAR fix.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Off

Acknowledgement

None

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSKK8Z","label":"Communications Server for Data Center Deployment"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"}],"Version":"7.0.0.0","Edition":"All Editions","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Product":{"code":"SSPQKF","label":"Communications Server for AIX"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"","label":""}],"Version":"6.4;7.0.0.0","Edition":"All Editions","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Product":{"code":"SSHQLW","label":"Communications Server for Linux"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"All","Platform":[{"code":"PF016","label":"Linux"}],"Version":"6.4;7.0.0.0","Edition":"All Editions","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Product":{"code":"SSDMF3","label":"Communications Server for Linux on zSeries"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"All","Platform":[{"code":"PF016","label":"Linux"}],"Version":"6.4;7.0.0.0","Edition":"All Editions","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Product":{"code":"SSHQNF","label":"Communications Server for Windows"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"TN3270 SERVER","Platform":[{"code":"PF033","label":"Windows"}],"Version":"6.1.3;6.4","Edition":"Standard","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Tips

Security Bulletin: Sweet32 vulnerability that impacts Triple DES cipher affects Communications Server for Data Center Deployment, Communications Server for AIX, Linux, Linux on System z, and Windows (CVE-2016-2183)