SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (VPN)  >   OpenSSL Vendors:   OpenSSL.org
OpenSSL 3DES Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases
SecurityTracker Alert ID:  1036696
SecurityTracker URL:  http://securitytracker.com/id/1036696
CVE Reference:   CVE-2016-2183   (Links to External Site)
Date:  Aug 26 2016
Impact:   Disclosure of system information, Disclosure of user information
Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in OpenSSL. A remote user can decrypt transmitted data in certain cases.

A remote user that can monitor the network and can capture a long duration 3DES CBC mode encrypted session over which some amount of known plaintext is communicated can recover some plaintext in certain cases.

Over the duration of a long-lived connection, a cipher block collision may occur, allowing the remote user to recover the exclusive OR between the two plaintext blocks. If the communications protocol sends a fixed plaintext portion (e.g., a secure cookie) repeatedly and also sends some amount of known plaintext, the user can recover the secret plaintext.

[Editor's note: The report confirms a successful attack to recover secure HTTP cookies by capturing 785 GB of network traffic.]

The attack method is known as a SWEET32 attack.

64-bit block ciphers, such as 3DES and Blowfish, are affected by this type of attack.

The original advisory will be presented at the 23rd ACM Conference on Computer and Communications Security and is available at:

https://sweet32.info/SWEET32_CCS16.pdf

Karthikeyan Bhargavan and Gaetan Leurent from INRIA reported this vulnerability.

Impact:   A remote user that can monitor the network can decrypt transmitted data in certain cases.
Solution:   [Editor's note: The vulnerability is a known limitation of the cryptographic protocol.]

The vendor has issued a version (1.1.0) that disables the vulnerable 3DES cipher suites in the default configuration.

The vendor advisory is available at:

https://www.openssl.org/news/changelog.html#x0

Vendor URL:  openssl.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 17 2016 (Oracle Issues Fix for Oracle Linux) OpenSSL 3DES Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases
Oracle has issued a fix for Oracle Linux 5.
Oct 27 2016 (HP Issues Fix for HPE System Management Homepage) OpenSSL 3DES Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases
HPE has issued a fix for HPE System Management Homepage.
Oct 27 2016 (HP Issues Advisory for HPE IceWall) OpenSSL 3DES Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases
HPE has issued an advisory for HPE IceWall.
Nov 4 2016 (HP Issues Fix for HPE integrated Lights Out (iLO)) OpenSSL 3DES Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases
HP has issued a fix for HPE integrated Lights Out (iLO).
Nov 15 2016 (IBM Issues Fix for IBM AIX) OpenSSL 3DES Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases
IBM has issued a fix for IBM AIX 5.3, 6.1, 7.1, and 7.2.
Dec 15 2016 (IBM Issues Advisory for IBM DB2) OpenSSL 3DES Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases
IBM plans to issue a fix for IBM DB2.
Jan 10 2017 (IBM Issues Fix for IBM License Metric Tool) OpenSSL 3DES Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases
IBM has issued a fix for IBM License Metric Tool
Jan 13 2017 (HPE Issues Fix for HPE SiteScope) OpenSSL 3DES Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases
HPE has issued a fix for HPE SiteScope.
Feb 16 2017 (HPE Issues Fix for HPE Business Service Management) OpenSSL 3DES Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases
HPE has issued a fix for HPE Business Service Management.
Mar 1 2017 (Pulse Secure Issues Fix for Pulse Connect Secure) OpenSSL 3DES Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases
Pulse Secure has issued a fix for Pulse Connect Secure.
Mar 1 2017 (IBM Issues Fix for IBM WebSphere Portal) OpenSSL 3DES Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases
IBM has issued a fix for IBM WebSphere Portal.
Mar 8 2017 (Red Hat Issues Fix for IBM Java SE) OpenSSL 3DES Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases
Red Hat has issued a fix for java-1.8.0-ibm for Red Hat Enterprise Linux 6 and 7.
Mar 15 2017 (HPE Issues Fix for HPE Business Service Management) OpenSSL 3DES Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases
HPE has issued a fix for HPE Business Service Management.
Mar 22 2017 (IBM Issues Fix for IBM Rational ClearQuest) OpenSSL 3DES Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases
IBM has issued a fix for IBM Rational ClearQuest.
Apr 8 2017 (IBM Issues Fix for IBM WebSphere MQ) OpenSSL 3DES Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases
IBM has issued a fix for IBM WebSphere MQ on NonStop Server.
Apr 8 2017 (IBM Issues Fix for IBM License Metric Tool) OpenSSL 3DES Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases
IBM has issued a fix for IBM License Metric Tool.
Apr 28 2017 (Ubuntu Issues Fix for Network Security Services (NSS)) OpenSSL 3DES Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases
Ubuntu has issued a fix for Network Security Services (NSS) for Ubuntu Linux 14.04 LTS, 16.04 LTS, 16.10, and 17.04.
Jun 6 2017 (IBM Issues Fix for IBM Security Access Manager) OpenSSL 3DES Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases
IBM has issued a fix for IBM Security Access Manager.
Jul 18 2017 (Oracle Issues Fix for Oracle Database) OpenSSL 3DES Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases
Oracle has issued a fix for Oracle Database.
Aug 11 2017 (HPE Issues Fix for HPE LoadRunner) OpenSSL 3DES Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases
HPE has issued a fix for HPE LoadRunner.
Aug 11 2017 (HPE Issues Fix for HPE Performance Center) OpenSSL 3DES Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases
HPE has issued a fix for HPE Performance Center.
Aug 26 2017 (IBM Issues Fix for IBM Sametime Community Server) OpenSSL 3DES Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases
IBM has issued a fix for IBM Sametime Community Server.
Sep 6 2017 (IBM Issues Fix for IBM Tivoli Directory Server on IBM AIX) OpenSSL 3DES Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases
IBM has issued a fix for IBM Tivoli Directory Server on IBM AIX.
Oct 18 2017 (Oracle Issues Fix for Oracle HTTP Server) OpenSSL 3DES Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases
Oracle has issued a fix for Oracle HTTP Server.
Jul 3 2018 (Red Hat Issues Fix for Python) OpenSSL 3DES Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases
Red Hat has issued a fix for Python for Red Hat Enterprise Linux 7.
Jul 4 2018 (Oracle Issues Fix for Oracle Linux for Python) OpenSSL 3DES Cipher Block Collision Weakness Lets Remote Users Decrypt Data in Certain Cases
Oracle has issued a fix for Python for Oracle Linux 7.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC