Security Bulletin: Securing your products against OpenSSL and TLS vulnerabilities

Abstract

OpenSSL vulnerabilities are disclosed by the OpenSSL Project and affect the products listed below.  This includes the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol (CVE-2015-4000). This also includes the alternate chains certificate forgery vulnerability (CVE-2015-1793). The affected products have addressed the applicable CVEs.

TLS connections using the Diffie-Hellman key exchange protocol were found to be vulnerable to a man-in-the-middle type attack. An attacker could potentially downgrade vulnerable TLS connections to be 512-bit export-grade cryptography. The apache and nginx web servers and OpenSSL use Diffie-Hellman Export ciphers and as such can become vulnerable to this attack by using pre-computed 512-bit primes.

Vulnerability Details

CVEID: CVE-2016-2183
DESCRIPTION: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.

  • CVSS v3 Base Score: 5.3 Medium
  • Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • Impact Score: 1.4
  • Exploitability Score: 3.9

CVEID: CVE-2016-2017
DESCRIPTION: OpenSSL before 1.0.1t and and before 1.0.2h have been found to be vulnerable to a padding-oracle attack on CBC mode decryption. This allows for the potential of attackers to decrypt client data sent to the server.

  • CVSS v3 Base Score: 8.1 High
  • Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
  • Impact Score: 5.2
  • Exploitability Score: 2.8

 

CVEID: CVE-2015-1793
DESCRIPTION: OpenSSL could allow a remote attacker to bypass security restrictions, caused by an implementation error of the alternative certificate chain logic. An attacker could exploit this vulnerability to bypass the CA flag and other specific checks on untrusted certificates and issue an invalid certificate.

  • CVSS Base Score: 7.5
  • CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104500 for the current score
  • CVSS Environmental Score*: Undefined
  • CVSS Vector: (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2015-4000
DESCRIPTION: TLS version 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.

  • CVSS Base Score: 4.3
  • Impact Subscore: 2.9
  • Exploitability Subscore: 8.6
  • CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected products and versions

  • IBM Aspera Faspex Application 3.9.2 and earlier
  • IBM Aspera Shares 1.9.3 and earlier
  • IBM Aspera Proxy 1.2.2 and earlier
  • IBM Aspera Enterprise Server Client 3.5.5 and earlier
  • IBM Aspera Point to Point 3.5.5 and earlier
  • IBM Aspera Enterprise Server 3.5.5 and earlier
  • IBM Aspera OnDemand 3.5.4 and earlier
  • IBM Aspera Orchestrator 2.3.0 and earlier
  • IBM Aspera Console 3.0.1 and earlier

Remediation

Use the Elliptical Diffie-Hellman ciphers and disable weak Diffie-Hellman export ciphers in all SSH, apache and nginx servers used by the IBM Aspera Server products.

The next major release to all IBM Aspera Server products will default to this configuration. Until that time, you can protect your servers by using the following as a reference of which ciphers to use for each affected product.

apache 2.2 (Faspex, Console, Orchestrator)

1. Configuration

The file to modify is found at the following:

  • Linux: /opt/aspera/common/apache/conf/extra/httpd-ssl.conf
  • Windows: C:\Program Files (x86)\Common Files\Aspera\Common\apache\conf\extra\httpd-ssl.conf

Add the following configurations to the file:

SSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

SSLHonorCipherOrder on

Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
Header always set X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniff

2. Add entropy

Add entropy for stronger Diffie-Hellman randomness by running the following commands:

# openssl dhparam -out dhparams.pem 2048
# cat dhparams.pem >> /opt/aspera/common/apache/conf/server.crt
(or wherever SSLCertificateFile is pointing)

Nginx (Shares)

1. Add entropy

Add entropy for stronger Diffie-Hellman randomness by running the following commands:

# cd /opt/aspera/shares/etc/nginx
# /opt/aspera/shares/bin/openssl dhparam -out dhparams.pem 2048

2. Configuration

The file to modify is found at the following:

  • Linux: /opt/aspera/shares/etc/nginx/nginx.conf
  • Windows: C:\Shares\nginx\conf\nginx.conf

Add the following configurations to the file:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS;

ssl_prefer_server_ciphers on;

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

ssl_dhparam dhparams.pem

If you are on Shares 1.9.3 or earlier, you are vulnerable to a padding-oracle attack on CBC mode decryption (CVE 2016-2017 above). Shares 1.9.4 and above uses an upgraded version of OpenSSL and is not exposed to this vulnerability.

If you can't upgrade Shares immediately, TLS 1.2 does not make use of vulnerable AES-CBC cipher modes.

You can modify Shares to use TLS 1.2 exclusively by modifying the nginx.conf file:

  • Linux: /opt/aspera/shares/etc/nginx/nginx.conf
  • Windows: C:\Shares\nginx\conf\nginx.conf
NOTE: If you have Shares users on old browsers they may not be able to connect if you use TLS 1.2 exclusively. You can check TLS 1.2 support here.

Modify the ssl_protocols line so it only defines TLSv1.2:

ssl_protocols TLSv1.2;

asperanoded, asperahttpd

1. Configuration

The file to modify is found at the following:

  • Linux: /opt/aspera/etc/aspera.conf
  • Windows: C:\Program Files (x86)/Aspera/product_name\etc\aspera.conf
  • Mac: /Library/Aspera/etc/aspera.conf

This is the default in aspera.conf:

<ssl_protocol>tlsv1</ssl_protocol>
<ssl_ciphers>ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS</ssl_ciphers>

2. Add entropy

Add entropy for stronger Diffie-Hellman randomness by running the following commands:

# openssl dhparam -out dhparams.pem 2048
# cat dhparams.pem >> /opt/aspera/etc/aspera_server_cert.pem

Cygwin-SSH server (Windows Enterprise Server or Point to Point 3.5/3.5.6)

1. Configuration

The file to modify is found at the following:

  • C:\Program Files (x86)\Aspera\<Enterprise Server or Point to Point>\etc\sshd_config

Locate the following in the file:

KexAlgorithms diffie-hellman-group1-sha1

and change it to the following:

KexAlgorithms diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

2. Remove insecure primes

Remove all DH Group Exchange primes of less than 2000 bits from the following file:

  • C:\Program Files (x86)\Aspera\<Enterprise Server or Point to Point>\etc\moduli

Appendix

References

Related Information

Change History

23 June 2015:  Original Copy Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an 'industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.' IBM PROVIDES THE CVSS SCORES 'AS IS' WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.



Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk