Cve 2016 2183 как устранить linux ubuntu

Microsoft исправила уязвимости в Windows

Microsoft исправила серьезные уязвимости в Windows, выпустив 16 обновлений. Пять из этих обновлений имеют статус Critical. В рамках MS16-063 обновлению подвергся веб-браузер Internet Explorer 9-11, для которого было исправлено десять уязвимостей. Большинство исправленных уязвимостей относятся к типу Remote Code Execution (RCE) и могут быть использованы для удаленного исполнения кода в веб-браузере с использованием специальным образом сформированной веб-страницы. Для применения обновления необходима перезагрузка.

Критическое обновление MS16-071 исправляет опасную RCE-уязвимость с идентификатором CVE-2016-3227 в сервисе Windows DNS (Dns.exe) на Windows Server 2012. Для эксплуатации уязвимости может использоваться специальный DNS-запрос, который отправляется на сервер. При этом, в случае успешной эксплуатации, атакующий получит высокие привилегии Local System в Windows. В рамках MS16-073 обновлению подвергся и GUI-драйвер win32k.sys, в котором было закрыто две LPE-уязвимости, с помощью которых атакующие могут несанкционированно запустить в системе свой код режима ядра.

Обновление MS16-063 исправляет десять уязвимостей в веб-браузере Internet Explorer 9-11, большинство из которых относятся к типу RCE. Эксплуатация таких уязвимостей возможна с использованием специальным образом сформированной веб-страницы, позволяющей удаленно исполнить код в веб-браузере. Critical.

Обновление MS16-068 исправляет восемь аналогичных RCE-уязвимостей в веб-браузере Edge. Две Information Disclosure уязвимости CVE-2016-3201 и CVE-2016-3215 присутствуют в компоненте просмотра PDF-файлов, с их помощью атакующий может несанкционированно получить доступ к информации пользователя. Critical.

Обновление MS16-069 исправляет три RCE-уязвимости CVE-2016-3205, CVE-2016-3206 и CVE-2016-3207 в движках VBScript Scripting Engine (VBScript.dll) и JavaScript (JScript.dll). Эксплуатация уязвимостей возможна с использованием вредоносного содержимого при использовании веб-браузера Internet Explorer. Critical.

Обновление MS16-070 исправляет уязвимости в Microsoft Office 2007+. Уязвимость CVE-2016-0025 относится к типу RCE и может быть использована для удаленного исполнения кода с использованием специальным образом сформированного файла Office на MS Word. Другая уязвимость с идентификатором CVE-2016-3235 называется Office OLE DLL Side Loading и позволяет злоумышленнику загрузить свою динамическую библиотеку в контекст процесса Office. Critical.

Обновление MS16-071 исправляет серьезную RCE-уязвимость CVE-2016-3227 в службе DNS-сервера (dns.exe) на Windows Server 2012 и Windows Server 2012 R2. Злоумышленники могут удаленно исполнить код на сервере с высокими правами Local System за счет отправки специальным образом сформированного DNS-запроса. Полученные привилегии могут позволить коду эксплойта загрузить в Windows код режима ядра. Critical.

Обновление MS16-072 исправляет важную Elevation of Privilege уязвимость CVE-2016-3223 в компоненте Group Policy на Windows Vista+. С использованием уязвимости атакующий может повысить свои полномочия в системе за счет атаки man-in-the-middle (MiTM) против трафика между контроллером домена и машиной жертвы. Атакующий получает права для создания групповой политики, которая позволяет предоставить права администратора простому пользователю (Elevation of Privilege). Important.

Обновление MS16-073 исправляет важные уязвимости в системных компонентах Windows. Две уязвимости с идентификаторами CVE-2016-3218 и CVE-2016-3221 присутствуют в драйвере win32k.sys на Windows Vista+. Еще одна уязвимость типа Information Disclosure присутствует в системном драйвере Windows Virtual PCI (Vpcivsp.sys) на Windows Server 2012. Уязвимость позволяет атакующему получить доступ к содержимому памяти, к которому легитимно он не имеет доступ. Уязвимости в win32k.sys позволяют атакующему исполнить свой код с максимальными правами SYSTEM в системе. Important.

Обновление MS16-074 исправляет уязвимости в различных компонентах Windows. Уязвимость CVE-2016-3216 типа Information Disclosure присутствует в компоненте Windows Graphics (Gdi32.dll) на Windows Vista+ и позволяет атакующему обойти защитный механизм ASLR. Другая LPE-уязвимость CVE-2016-3219 присутствует в драйвере win32k.sys на Windows 10 и позволяет атакующему запустить вредоносный код с правами SYSTEM. Еще одна LPE-уязвимость CVE-2016-3220 присутствует в известной библиотеке Adobe Type Manager Library (atmfd.dll) на Windows Vista+. Библиотека используется win32k.sys, а уязвимость позволяет атакующим запускать код в системе с максимальными правами. Important.

Обновление MS16-075 исправляет одну уязвимость типа Elevation of Privilege в компоненте SMB Server на Windows Vista+. Обновлению подлежат такие системные компоненты как драйверы Cng.sys, Ksecpkg.sys, Mrxsmb10.sys, Mrxsmb20.sys, Mrxsmb.sys, Srvnet.sys, Srv.sys, Srv2.sys, а также библиотеки Bcryptprimitives.dll, Lsasrv.dll и др. Для эксплуатации уязвимости атакующему нужно запустить специальное вредоносное приложение, которое получит системные привилегии в Windows. При этом приложение должно отправить специальный запрос на аутентификацию серверу SMB, который некорректно обрабатывает запросы credential forwarding. Important.

Обновление MS16-076 исправляет одну RCE-уязвимость CVE-2016-3228 в компоненте Windows Netlogon (Wdigest.dll, файлы из MS16-075) на Windows Server 2008 и Windows Server 2012. В случае успешной аутентификации в домене, атакующий может отправить специальным образом сформированный запрос NetLogon контроллеру домена и исполнить на нем свой код. Уязвимость помечена как Important, поскольку атакующий уже должен иметь доступ к корпоративной сети (домену). Important.

Обновление MS16-077 исправляет две LPE-уязвимости CVE-2016-3213 и CVE-2016-3236 в компоненте протокола Web Proxy Auto Discovery (WPAD) на Windows Vista+. Обновлению подлежат системные файлы с сетевыми функциями Netbt.sys, Mswsock.dll, Ws2_32.dll, Winhttp.dll. Important.

Обновление MS16-078 исправляет LPE-уязвимость с идентификатором CVE-2016-3231 для сервиса Windows Diagnostics Hub Standard Collector на Windows 10. Уязвимость позволяет атакующему загрузить свою библиотеку в контекст привилегированного сервиса, после чего он получит максимальные системные права в Windows. Important.

Обновление MS16-079 исправляет ряд важных уязвимостей в Microsoft Exchange Server 2007+. Одна уязвимость относится к типу Information Disclosure, а три других к типу Elevation of Privilege. Important.

Обновление MS16-080 исправляет три уязвимости в компоненте Windows PDF (Windows.data.pdf.dll. Glcndfilter.dll) на Windows 8.1+. Эксплуатация уязвимостей возможна с использованием специальным образом сформированного PDF-файла. Две из них относятся к типу Information Disclosure, а третья к RCE. Important.

Обновление MS16-081 исправляет уязвимость типа Denial of Service в компоненте сервиса Active Directory (Ntdsai.dll) на серверных выпусках Windows Server 2008 R2 и Windows Server 2012. Злоумышленник может спровоцировать зависание сервера путем удаленного создания нескольких учетных записей на нем, при этом злоумышленник должен быть аутентифицирован в домене. Important.

Обновление MS16-082 исправляет уязвимость CVE-2016-3230 типа Denial of Service в компоненте Windows Search на Windows 7+ (Structuredquery.dll). Атакующий может спровоцировать зависание системы с помощью запуска в ней специального приложения. Important.

Мы рекомендуем нашим пользователям установить обновления как можно скорее и, если вы еще этого не сделали, включить автоматическую доставку обновлений с использованием Windows Update (по-умолчанию такая возможность включена).

be secure.

SWEET32 Birthday Attack (CVE-2016-2183): Fix TLS vulnerability

Over 80% of websites on the internet are vulnerable to hacks and attacks. In our role as hosting support engineers for web hosts, we perform periodic security scans and updates in servers to protect them from hacks.

A recent bug that affects the servers is the SWEET32 vulnerability. By exploiting a weak cipher ‘3DES-CBC’ in TLS encryption, this bug has caused many server owners to panic about their data security.

If you see that your website is failing security scans with this message, that means your server is vulnerable to SWEET32 attacks.

“SSL/TLS server supports short block sizes (SWEET32 attack)”

What is SWEET32 Birthday Attack (CVE-2016-2183)?

By default, servers have the ‘3DES-CBC’ cipher enabled in TLS. This makes HTTPS connections in those servers vulnerable to this SWEET32 bug.

Hackers can then easily decrypt your valuable data using a method called Birthday Attack. Here’s how it works:

The web server encrypts data using cryptographic keys. These keys are chosen randomly, and the probability of any two customers getting the same key is very low.

By misusing the SWEET32 vulnerability, an attacker can send in a large volume of dummy data, and get blocks of cipher text that matches that of a customer.

To break it down:

1. The attacker sniffs all data sent to your customer.
2. The attacker sends dummy data to your server until a key used for a customer matches the attacker’s session key.
3. Once there’s a match, sensitive data can be decrypted by determining how the key was chosen.

Are your servers vulnerable to SWEET32 Birthday Attack (CVE-2016-2183)?

OpenSSL protocol uses the vulnerable ‘Triple-DES’ ciphers for encrypting the data. So if your web servers such as Apache, Nginx, etc. use OpenSSL with the vulnerable ‘Triple-DES’ cipher support, your server is susceptible to attack.

If your servers are running OpenSSL versions prior to 1.0.1, which cannot support strong ciphers, your servers are already vulnerable to many other attacks too, such as CCS Injection Vulnerability.

The first thing we do is check the version of the OpenSSL server:

root@host ~ $ openssl version OpenSSL 1.0.1f 6 Jan 2014

To examine the ciphers that are enabled in the OpenSSL server, we use the ‘nmap’ command. The code ‘3DES’ indicates cipher suites that use triple DES encryption. These are the ones we disable for server security.

Today, we are going to take a close look at how to secure different servers from the SWEET32 vulnerability:

1. What is SWEET32 Birthday Attack?
2. Are your servers vulnerable to SWEET32 attacks?
3. How to fix the SWEET32 vulnerability
   • How to Secure Apache and Nginx Web Servers
   • How to Secure RedHat and CentOS Web Servers
   • How to Secure Debian and Ubuntu
   • How to Secure OpenSUSE Servers
   • How to Secure IIS Web Servers

How to fix the SWEET32 (CVE-2016-2183) Vulnerability

To secure confidential information from this critical SWEET32 birthday attack vulnerability, we disable all 64-bit block weak ciphers. For enhanced security, we allow only strong ciphers such as AES.

Though OpenSSL has disabled support for weak ciphers from version 1.1.0 release onwards, we’ve seen many servers still running older versions that are vulnerable.

For the servers that we manage, our expert technicians keep all server software updated, to protect them from attacks. If your servers are running vulnerable versions, you should disable these weak ciphers without delay.

[ Don’t wait for an attack to strike. Secure your servers right now! Our world-class server security specialists are here to protect your servers. ]

How we secure Apache and Nginx web servers from the SWEET32 bug

In servers that are running Apache web server, here is how we secure them:

1. To begin with, edit the Apache SSL configuration file at ‘ /etc/apache2/mods-available/ssl.conf ‘
2. Go to the SSL section and ensure that old protocols such as SSLv2 and SSLv3 are disabled.
3. Then, go to the CIPHER text section and update the entry with the relevant ‘SSLCipherSuite’.
4. Restart the Apache web server.

In servers with Nginx web server, we do these steps:

1. Edit the Nginx configuration file ‘/etc/nginx/nginx.conf’.
2. Go to the SSL section, set the secure protocols, and update the Cipher text with the relevant ‘ciphers’ list.
3. Restart the web server after saving the new settings.

How to fix the SWEET32 bug in RedHat and CentOS servers

RedHat and CentOS servers use their own OpenSSL package, which is updated from their repository using the ‘yum’ command. But RHEL/CentOS 5,6,7 versions use vulnerable OpenSSL packages.

To know the version of the OpenSSL package in the server, we execute the command:

root@host ~ $ rpm -qa | grep openssl openssl-0.9.8e-20.el5_7.1

To immediately mitigate the SWEET32 Birthday attack (CVE-2016-2183) until the new OpenSSL secure package is made available in RedHat and CentOS repositories, we disable the weak ciphers in the services that use SSL.

The services we update with strong ciphers include web servers such as Apache and Nginx, mail servers such as Exim, POP/IMAP server, FTP server, etc.

Fixing SWEET32 vulnerability in Debian and Ubuntu servers

Ubuntu has different versions and the OpenSSL packages available in them are:

Ubuntu 15.10:libssl1.0.0 1.0.2d-0ubuntu1.2 Ubuntu 15.04:libssl1.0.0 1.0.1f-1ubuntu11.5 Ubuntu 14.04 LTS:libssl1.0.0 1.0.1f-1ubuntu2.16 Ubuntu 12.04 LTS:libssl1.0.0 1.0.1-4ubuntu5.32

To check the version of the OpenSSL package in the server, we use the command:

dpkg -s openssl

If it is running older vulnerable versions, we update the OpenSSL package to the latest supported version.

The latest secure OpenSSL version is not yet available in these packages. So, as an immediate mitigation, we disable the weak ciphers in all public services with OpenSSL support.

Securing OpenSUSE servers from the SWEET32 bug

In OpenSUSE, the ‘zypper’ tool helps us to update and install the latest OpenSSL packages in the server.

We use this command to update your Suse server:

# zypper in -t patch secsp3-openssl1-12539=1

To mitigate the SWEET32 Birthday attack (CVE-2016-2183) vulnerability, we disable the 3DES and other weak ciphers from all the public SSL-based services.

How to protect IIS Web Servers from the SWEET32 bug

To disable weak ciphers in the Windows IIS web server, we edit the Registry corresponding to it. Here is how to do that:

1. Click Start, click Run, type ‘regedit’ in the Open box, and then click OK.
2. Locate the following security registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Registry edits are done very carefully, as any mistake can cause the server to become non-functional. Server restarts may be required for the updates to come into effect.

The steps to restrict the ciphers and edit the registry can vary with the Windows version on your server. It is therefore recommended to do it only with expert assistance.

At Bobcares, our security experts are specialized in securing the servers of our customers. By taking proper backups of the registry and other relevant config, we ensure that the servers do not get messed up.

Conclusion

SWEET32 is a vulnerability in 3DES-CBC ciphers, which is used in most popular web servers. Today we’ve seen how we fix it in popular operating systems and web servers.

Older operating systems such as Windows XP use 3DES-CBC to establish connections. Researchers have shown that these connections can be easily decrypted during SWEET32 Birthday Attacks (CVE-2016-2183).

Bobcares helps online businesses of all sizes achieve world-class security and uptime, using tried and tested solutions. If you’d like to know how to make your server more reliable, we’d be happy to talk to you.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

Your server could be under threat!

Don’t panic! We will secure your sites from SWEET32 attacks promptly.

var google_conversion_label = «owonCMyG5nEQ0aD71QM»;

25 Comments

Tim on 2016-11-01 at 23:42

I made the regedit change to stop the IIS attack, then rescanned the server with Trustwave and it is still coming up as vulnerable. Any suggestions? Reply

Reeshma on 2016-11-04 at 08:58

Tim, The registry edits and restricting the ciphers can vary with the Windows version you’re running in your server. Please feel free to contact our 24/7 support team here – https://bobcares.com/contact-us/ – for further assistance. Reply

Morningstar on 2016-11-03 at 20:21

You need to add the registry dword ‘Enabled’ and set it to 0. So the full path for disabling in IIS is
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168” new dword Enabled = 0 Reply

Reeshma on 2016-11-04 at 09:28

Hi, The cipher setting varies with the Windows version in the server. In earlier versions, if you do not configure the Enabled value, the default is enabled. This setting is to disable that Triple DES cipher. If it is not enabled, then no need to worry. Reply

Jason on 2016-11-03 at 23:58

I use plesk 12.5 and have already used their recommendations for PCI compliance, which includes updating the cipher text as you mentioned. However, their cipher text is much longer that the one that you have suggested, “EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES”. I am hesitant to change this for your much shorter cipher text. I found that merely adding, “:!3DES”, to the end of my cipher text, it removed all of the 3DES ciphers. This seems sufficient, but I thought I would get your thoughts on the matter. Reply

Reeshma on 2016-11-04 at 09:14

Jason, Since SWEET32 is based on 3DES vulnerability, the key intention behind this article is on how to avoid using that cipher in your servers. AES cipher is considered a strong cipher as of now and it comes in 128 and 256 bit combinations. You can enable as many strong ciphers as you would like your server to support. Reply

Bruno on 2016-11-30 at 02:40

Making this registry change to remediate the vulnerability break RDP. No more remote desktop when applied!
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168”
new dword Enabled = 0 Reply

Reeshma Mathews on 2016-12-02 at 10:54

Bruno, You may have to update RDP packages to support the latest versions of TLS. Please feel free to contact our 24/7 support team here – https://bobcares.com/contact-us/ – for further assistance. Reply

Coder Not Admin on 2016-12-06 at 04:05

Hey, Bob. Just wanted to say that this information helped me pass my TrustKeeper compliance test. Good stuff! Reply

Reeshma on 2016-12-06 at 09:12
Thank you, happy to know that �� Reply
freakerzoid on 2016-12-14 at 12:28

I have 3 servers that are currently affected:
– Windows Server 2012R2
– Windows Server 2008R2
– Windows Server 2008 After editing the registry changes, do I need to reboot the servers for the changes to take effect Reply

Reeshma on 2016-12-14 at 14:14

Server restart is not required for the cipher key changes to come into effect, but maybe required for protocol key changes. However, as mentioned, you need to be very careful while editing the registry. Please feel free to contact our 24/7 support team here – https://bobcares.com/contact-us/ – for further assistance. Reply

freakerzoid on 2016-12-15 at 13:02

I have encountered some issue. I have a Windows Server 2008R2 server has been detected with this Sweet32 Vulnerability. The following is the registry configuration. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
“Enabled”=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
“Enabled”=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
“Enabled”=dword:00000000 So for this Scenario, How will I be able to disable 3DES Cipher ? Kindly advise ? Reply

Reeshma on 2016-12-15 at 15:36

Hi, To disable the 128-bit weak cipher, edit the value in ‘SCHANNEL\Ciphers\RC4 128/128 subkey’ and change the DWORD value data to 0x0. Repeat this for all such entries related to weak ciphers. Reply

freakerzoid on 2016-12-16 at 14:46

But isn’t that for Disabling RC4 Cipher Suite ? And these 3 are already disabled. What I mean is I am unable to find this registry below from W2K8 and W2K8R2 Servers. \SCHANNEL\Ciphers\Triple DES 168 How could I resolve this issue ?

Reeshma on 2016-12-16 at 15:07

Hi, For keys that are not being listed, you may have to manually add the cipher keys and disable them, as the default value is ‘Enabled’. Please feel free to contact our 24/7 support team here – https://bobcares.com/contact-us/ – for any further assistance.

Omar on 2023-07-10 at 14:08

Hi Reeshma. Below are the plugin name of my VAPT findings. Appreciate if you could advise on the steps, and what should I do to remediate both VAPT finding. 1) SSL Medium Strength Cipher Suites Supported (SWEET32)
Port 3389 Description: The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite. Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network. 2) SSL Medium Strength Cipher Suites Supported (SWEET32)
Port 4000 Description: The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite. Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network. Reply

Hiba Razak on 2023-07-10 at 16:44

Hi Omar,
Our experts can help you with the issue.we will be happy to talk to you through our live chat(click on the icon at right-bottom). Reply

Jake on 2016-12-14 at 22:34

Planning on making this change, but would like to know if it will break Microsoft Exchange Server / mail Flow?? Reply

Reeshma on 2016-12-15 at 09:26

Jake, It would depend on the Exchange server you’re running on. SMTP support for TLS 1.1 and 1.2 were added in Exchange Server 2013 CU8 and Exchange Server 2010 SP3 RU9. So, if you update the ciphers and TLS versions, you may need to apply an update for the SMTP service or else mails may stop working. Please feel free to contact our 24/7 support team here – https://bobcares.com/contact-us/ – for a detailed investigation and further assistance. Reply

Renuka Rathore on 2017-09-04 at 12:45

Dear Team, We are using RHEL5 and wanted to get away with Sweet32 Vulnerability. For which we are trying to upgrade the openssl package from 1.0.1u to 1.1.0f. But we are facing lot of issues. Could you please suggest an alternate. Reply

Reeshma on 2017-09-04 at 14:03

Hi Renuka, It would require a check of your server software version and its dependencies, please contact our server experts at https://bobcares.com/server-administration-service/ , and they will secure your server from sweet32 bug. Reply

Chaerulbachri on 2019-07-01 at 14:46

Hai, I have Linux Readheat server, with Weblogic service. please how to solved the 3DES and RSA thanks Reply

Yoonz on 2021-04-01 at 00:26

Hello, I’m getting this vulnerability on my Windows Server 2012 R2 vSphere server. I tried looking through regedit, but my …/SCHANNEL/Ciphers/ folder only has (Default). Am I missing something or is there somewhere else to fix this vulnerability? Reply

Arya MA on 2021-04-23 at 10:18

Hi there, We would require to have a closer look at the server software version and its dependencies. If you still find problems, we’ll be happy to talk to you on chat (click on the icon at right-bottom). Reply

SWEET32: Birthday attacks against TLS ciphers with 64bit block size (CVE-2016-2183)

Red Hat Product Security has been made aware of an issue with block ciphers within the SSL/TLS protocols that under certain configurations could allow a collision attack. This issue has been rated as Moderate and is assigned CVE-2016-2183. This issue requires no updates or action for users of Red Hat products at this time. Please see the Resolution section below for more details.

Background

Legacy block ciphers having block size of 64 bits are vulnerable to a practical collision attack when used in CBC mode. All versions of SSL/TLS protocol support cipher suites which use 3DES as the symmetric encryption cipher are affected (for example ECDHE-RSA-DES-CBC3-SHA). In the versions of OpenSSL shipped with Red Hat Enterprise Linux 6 and 7, DES-based ciphersuites are listed below the ones which support AES-128 (with PFS ciphersuite) and AES-256. This means that DES cipher will be chosen only when the server explicitly disables AES-128 and AES-256. In the version of OpenSSL shipped with Red Hat Enterprise Linux 5, DES-based ciphersuites are listed below AES-256, but above AES-128. In such cases DES will be chosen only when the server explicitly disables AES-256 based ciphersuite.

The Security of a block cipher depends on the key size (k). Therefore the best attack against a block cipher is the exhaustive key search attack which has a complexity of 2 k . However when block ciphers are used to encrypt large amounts of data using modes of encryption such as CBC, the block size (n) also plays a bit part in determining its security.

When CBC mode of encryption is used, there is simple birthday attack in which after 2 n/2 blocks of data are encrypted with the same key, a collision between two ciphers blocks are expected. A collision in the output would mean that the input is same. This data combined with several conditions (discussed below) can be used to extract plain text of the encrypted data.

Practicality of the attack

1. Firstly DES/3DES is the only cipher used in SSL/TLS which has a block size of 64 bits. As discussed in the summary, ciphersuites containing 3DES are prioritized below other ciphersuites (AES-128 for example).
2. To run the attack on 64 bit block ciphers, at least 32GB of data needs to be captured on the wire. In case of SSL/TLS this would mean from a single SSL/TLS session. (For all new sessions, SSL/TLS renegotiates the symmetric keys). Therefore long lived https connections could be vulnerable.
3. In many contexts, recovering only the xor between two plain text blocks is not sufficient for an attack with a practical impact. However, an attack can be mounted when the following conditions are fulfilled:
   • A fixed secret is sent repeatedly;
   • Some fraction of the plain text is known.
4. The proof of concept attack mentioned in the research paper, assumes some authentication token is passed between the server and client for all of its communications (token could be a cookie of credentials used in basic authentication). The attacker then runs a malicious JavaScript in the origin of the website which is being attacked. A BEAST kind of attack can then be used to extract the cookie.

Mitigations

1. SSL/TLS configurations should prefer AES over DES. Versions of OpenSSL shipped with Red Hat Enterprise Linux 6 and 7 already do so.
2. In the version of OpenSSL shipped with Red Hat Enterprise Linux 5, 3DES is listed below the AES-256 cipher and above the AES-128 cipher, therefore AES-256 based ciphersuites should not be disabled on the server.
3. Servers using OpenSSL, should not disable AES-128 and AES-256 ciphersuites. Versions of Apache shipped with Red Hat Enterprise Linux use the default cipher string, in which AES is preferred over DES/3DES-based ciphersuites.
4. Disable 3DES. This can be achieved for Apache httpd by setting: SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES

Resolution

1. This flaw is related to the design of the DES/3DES cipher and is not an implementation flaw.
2. This flaw does not directly affect any cryptographic libraries (OpenSSL, NSS and GnuTLS) in Red Hat Enterprise Linux 5, 6 and 7, since there are several stronger ciphersuites, which are placed higher than 3DES in the default cipher list configurations.
3. For Red Hat Enterprise Linux 5, do not disable AES-256-based ciphersuites on the server. For Red Hat Enterprise Linux 6 and 7, do not disable AES-128 or AES-256-based ciphersuites on the server.
4. It is advised to completely disable DES/3DES ciphers to avoid scenarios in which malicious clients can only offer vulnerable ciphers during TLS handshake.

Upstream Security fixes:

OpenSSL:

OpenSSL have rated this as a ‘low’ severity security issue. They have moved 3DES ciphersuites from the HIGH category to MEDIUM in the 1.0.2 branch, and will disable it by default in an upcoming release.

NSS:

Mozilla is implementing data limits for all ciphersuites.

Related Issues

Upstream OpenVPN is also susceptible to the Sweet32 attack and is being tracked by CVE-2016-6329. Red Hat’s implementation of OpenVPN is not affected by this flaw.

Уязвимость BDU:2017-01833

Наименование уязвимости: Уязвимость набора библиотек Network Security Services, позволяющая нарушителю вызвать отказ в обслуживании или оказать другое воздействие.

Описание уязвимости: Уязвимость набора библиотек Network Security Services вызвана с записью за границами буфера в памяти. Уязвимость существует из-за некорректной операции декодирования Base64-чисел. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, вызвать отказ в обслуживании или оказать другое воздействие при помощи специально сформированного сертификата
Уязвимое ПО: Операционная система Canonical Ltd. Ubuntu 17.04 | Операционная система Canonical Ltd. Ubuntu 16.10 | Прикладное ПО информационных систем Mozilla Corp. Network Security Services до 3.21.4 | Прикладное ПО информационных систем Mozilla Corp. Network Security Services от 3.22 до 3.28.4 | Прикладное ПО информационных систем Mozilla Corp. Network Security Services от 3.29 до 3.29.5 | Прикладное ПО информационных систем Mozilla Corp. Network Security Services от 3.30 до 3.30.1 | Операционная система Red Hat Inc. Red Hat Enterprise Linux Server 6 | Операционная система Red Hat Inc. Red Hat Enterprise Linux Server 7 | Операционная система Debian GNU/Linux 8.0 | Прикладное ПО информационных систем Oracle Corp. Oracle Communications Messaging Server 8.0 | Операционная система Canonical Ltd. Ubuntu 14.04 ESM | Прикладное ПО информационных систем Oracle Corp. Oracle Directory Server Enterprise Edition 11.1.1.7 | Операционная система Canonical Ltd. Ubuntu 16.04 ESM | ПО программно-аппаратных средств защиты, ПО сетевого программно-аппаратного средства Juniper Networks Inc. Junos Space Security Director 21.1 | Сетевое средство, Прикладное ПО информационных систем Oracle Corp. iPlanet Web Server 7.0 | Операционная система Red Hat Inc. Red Hat Enterprise Linux Server 5 |

Наименование ОС и тип аппаратной платформы: Ubuntu 1704 | Ubuntu 1610 | Red Hat Enterprise Linux Server 6 | Red Hat Enterprise Linux Server 7 | Debian GNU/Linux 80 | Ubuntu 1404 ESM | Ubuntu 1604 ESM | Red Hat Enterprise Linux Server 5 |
Дата выявления: 11.05.2017.
CVSS 2.0: AV:N/AC:L/Au:N/C:P/I:P/A:P
Уровень опасности уязвимости: Высокий уровень опасности (базовая оценка CVSS 2.0 составляет 7,5)