content:en_us:announcements_cve_cve-2016-2183

CVE 2016-2183

/** * This is the notes section. CVE documents should ONLY be created by employees of ClearCenter with the authority to make statements on behalf of the company. If you have content that would be useful to the statement, please contact ClearCenter. */

'The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a “Sweet32” attack.'

ClearCenter response

This issue affects ClearOS 7 and ClearOS 6. The fix here is to prefer other encryption methods above 3DES but leave 3DES support for compatibility reasons.

Short response

This issue was addressed in the backported fixes of versions of:

  • openssl version 1.0.1e-51 and later in ClearOS 7

The attack requires that the attack collect data on a 3DES connection made by older machines that require 3DES. Updating client systems mitigates this risk while keeping backwards compatibility.

Long response

This issue was addressed in the backported fixes of versions of:

  • openssl version 1.0.1e-51 and later in ClearOS 7

Any attack using this method requires that the attack collect data on a 3DES connection made by older machines that require 3DES. Since 3DES is not preferred and should not be present except for compatibility reasons, updating client systems mitigates this risk while keeping backwards compatibility.

Resolution

Make sure that client access devices are up to date and do not require older protocols to function. If you are running ClearOS 7, please ensure that you are running the latest updates:

yum update

You may also validate your version by running:

rpm -qi httpd

You should validate that you are running:

ClearOS 7
  • openssl version 1.0.1e-51 or later
ClearOS 6

Users of ClearOS 6 should update to ClearOS 7 to address risks presented by this flaw.

content/en_us/announcements_cve_cve-2016-2183.txt · Last modified: 2018/10/03 13:19 by dloper

Page Tools