Security Bulletin
Summary
Sweet32 exposes a problem in the Triple DES algothorim for sessions that receive more than 2 GBytes of data on an encrypted session. Once beyond that amount of data, the algorithm allows for a
intrusion that can be more easily decrypted.
Vulnerability Details
CVEID: CVE-2016-2183
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the in the Triple-DES on 64-bit block cipher, used as a part of the SSL/TLS protocol. By capturing large amounts of encrypted traffic between the SSL/TLS server and the client, a remote attacker able to conduct a man-in-the-middle attack could exploit this vulnerability to recover the plaintext data and obtain sensitive information. This vulnerability is known as the SWEET32 Birthday attack.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116337 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
This problem affects the following distributed Communications Server products:
5725H32 - Communications Server for Data Center Deployment, V7.0
5765E51 - Communications Server for AIX, V6.4
5724I33 - Communications Server for Linux, V6.4
5724I34 - Communications Server for Linux on System z, V6.4
5639F25 - Communications Server for Windows, V6.4, V6.1.3
Remediation/Fixes
The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical. Visit Fix Central to find these APARs (under Other Software brand).
Product ID Product name
------------- --------------------
5725H32 Communications Server for Data Center Deployment 7.0
- apply APAR IV07799 for AIX platforms
- - Package on Fix Central:
OS-GSKIT8-70-SWEET32-7003-AIX-UPDATE
- apply APAR LI79293 for Linux platforms
- - Package on Fix Central:
OS-GSKIT8-70-SWEET32-7003-I686-LINUX
OS-GSKIT8-70-SWEET32-7003-PPC64-LINUX
OS-GSKIT8-70-SWEET32-7003-S390X-LINUX
OS-GSKIT8-70-SWEET32-7003-X86_64-LINUX
5765E51 Communications Server for AIX V6.4
- - apply APAR IV91306 for level 6.4.0.7 on AIX platform
- - Package on Fix Central:
OS-GSKIT8-70-SWEET32-6407-AIX-UPDATE
5724I33 Communications Server for Linux V6.4
- - apply APAR LI79296 for level 6.4.0.7 on Linux platform
- - Packages on Fix Central:
OS-GSKIT8-70-SWEET32-6407-X86_64-LINUX
OS-GSKIT8-70-SWEET32-6407-PPC64-LINUX
OS-GSKIT8-70-SWEET32-6407-X86_64-LINUX
5724I34 Communications Server for Linux on System z V6.4
- - apply APAR LI79299 for level 6.4.0.7 on Linux platform
- - Package on Fix Central:
OS-GSKIT8-70-SWEET32-6407-S390X-LINUX
5639F25 Communications Server for Windows V6.4 , V6.1.3
- apply APAR JR57102 for level 6.4.0.7 on Windows plaform
- - Package on Fix Central:
OS-GSKIT8-70-SWEET32-6407-WINDOWS-UPDATE
- apply APAR JR57103 for level 6.1.3.5 on Windows plaform
- - Package on Fix Central:
OS-GSKIT7-5-9-SWEET32-6135-WINDOWS-UPDATE
For previous versions of Communications Server for AIX, V6.3, we recommend you upgrade to Communications Server for Data Center Deployment, V7.
For previous versions of Communications Server for Linux, V6.2, we recommend you upgrade to Communications Server for Data Center Deployment, V7.
For previous versions of Communications Server for Linux on System z, V6.2, we recommend you upgrade to Communications Server for Data Center Deployment, V7.
For previous versions of Communications Server for Windows, V6.1.2, we recommend you upgrade to Communications Server for Windows, V6.4.
Once this fix is applied, if the secure socket connection supporting the TN3270 session receives more than 2 GBytes, the session will be disconnected with an error code:
Example: On a CS Linux server, there error message will look like this:
O/S send call failed with error code 0x01bd.
Where the 0x01bd is a hex 445, which is GSK error: GSK_ERROR_BYTECOUNT_EXHAUSTED
Workarounds and Mitigations
For Communications Server for Data Center Deployment, V7, Communications Server for AIX, V6.4, Communications Server for Linux V6.4, Communications Server for Linux on System z, V6.4, Communications Server for Windows, V6.4, and Communications Server for Windows, V6.1.3 you can mitigate this vulnerability by limiting the amount of data on a TN3270 SSL session to no more than 2 GBytes. TN3270 sessions normally do not stay active long enough have this amount of data received on a socket session. If a secure session could be active for months at a time or the session is used to do file transfers, then upgrade the product with this APAR fix.
Get Notified about Future Security Bulletins
References
Acknowledgement
None
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
03 August 2018
UID
swg21995057