Security Bulletin: Securing your products against OpenSSL and TLS vulnerabilities
OpenSSL vulnerabilities are disclosed by the OpenSSL Project and affect the products listed below. This includes the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol (CVE-2015-4000). This also includes the alternate chains certificate forgery vulnerability (CVE-2015-1793). The affected products have addressed the applicable CVEs.
TLS connections using the Diffie-Hellman key exchange protocol were found to be vulnerable to a man-in-the-middle type attack. An attacker could potentially downgrade vulnerable TLS connections to be 512-bit export-grade cryptography. The apache and nginx web servers and OpenSSL use Diffie-Hellman Export ciphers and as such can become vulnerable to this attack by using pre-computed 512-bit primes.
CVEID: CVE-2016-2183
DESCRIPTION: The DES and Triple DES ciphers as used in the TLS SSH and IPSec protocols and other protocols and products have a birthday bound of approximately four billion blocks which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session as demonstrated by an HTTPS session using Triple DES in CBC mode aka a “Sweet32” attack.
CVEID: CVE-2016-2017
DESCRIPTION:OpenSSL before 1.0.1t and and before 1.0.2h have been found to be vulnerable to a padding-oracle attack on CBC mode decryption. This allows for the potential of attackers to decrypt client data sent to the server.
CVEID: CVE-2015-1793
DESCRIPTION: OpenSSL could allow a remote attacker to bypass security restrictions caused by an implementation error of the alternative certificate chain logic. An attacker could exploit this vulnerability to bypass the CA flag and other specific checks on untrusted certificates and issue an invalid certificate.
CVEID: CVE-2015-4000
DESCRIPTION: TLS version 1.2 and earlier when a DHE_EXPORT ciphersuite is enabled on a server but not on a client does not properly convey a DHE_EXPORT choice which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE aka the “Logjam” issue.
Use the Elliptical Diffie-Hellman ciphers and disable weak Diffie-Hellman export ciphers in all SSH apache and nginx servers used by the IBM Aspera Server products.
The next major release to all IBM Aspera Server products will default to this configuration. Until that time you can protect your servers by using the following as a reference of which ciphers to use for each affected product.
The file to modify is found at the following:
/opt/aspera/common/apache/conf/extra/httpd-ssl.conf
C:\Program Files (x86)\Common Files\Aspera\Common\apache\conf\extra\httpd-ssl.conf
Add the following configurations to the file:
**SSLProtocol** all -SSLv2 -SSLv3
**SSLCipherSuite** ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
**SSLHonorCipherOrder** on
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
Header always set X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniff
Add entropy for stronger Diffie-Hellman randomness by running the following commands:
# openssl dhparam -out dhparams.pem 2048
# cat dhparams.pem >> /opt/aspera/common/apache/conf/server.crt
_(or wherever SSLCertificateFile is pointing)_
Add entropy for stronger Diffie-Hellman randomness by running the following commands:
# cd /opt/aspera/shares/etc/nginx
# /opt/aspera/shares/bin/openssl dhparam -out dhparams.pem 2048
The file to modify is found at the following:
/opt/aspera/shares/etc/nginx/nginx.conf
C:\Shares\nginx\conf\nginx.conf
Add the following configurations to the file:
**ssl_protocols** TLSv1 TLSv1.1 TLSv1.2;
**ssl_ciphers** ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS;
**ssl_prefer_server_ciphers** on;
**add_header** Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
**ssl_dhparam** _dhparams.pem_
If you are on Shares 1.9.3 or earlier you are vulnerable to a padding-oracle attack on CBC mode decryption (CVE 2016-2017 above). Shares 1.9.4 and above uses an upgraded version of OpenSSL and is not exposed to this vulnerability.
If you can’t upgrade Shares immediately TLS 1.2 does not make use of vulnerable AES-CBC cipher modes.
You can modify Shares to use TLS 1.2 exclusively by modifying the nginx.conf
file:
/opt/aspera/shares/etc/nginx/nginx.conf
C:\Shares\nginx\conf\nginx.conf
NOTE: If you have Shares users on old browsers they may not be able to connect if you use TLS 1.2 exclusively. You can check TLS 1.2 support here.
Modify the ssl_protocols
line so it only defines TLSv1.2:
**ssl_protocols** TLSv1.2;
The file to modify is found at the following:
/opt/aspera/etc/aspera.conf
C:\Program Files (x86)/Aspera/_product_name_\etc\aspera.conf
/Library/Aspera/etc/aspera.conf
This is the default in aspera.conf
:
<ssl_protocol>tlsv1</ssl_protocol>
<ssl_ciphers>ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS</ssl_ciphers>
Add entropy for stronger Diffie-Hellman randomness by running the following commands:
# openssl dhparam -out dhparams.pem 2048
# cat dhparams.pem >> /opt/aspera/etc/aspera_server_cert.pem
The file to modify is found at the following:
Locate the following in the file:
KexAlgorithms diffie-hellman-group1-sha1
and change it to the following:
KexAlgorithms diffie-hellman-group-exchange-sha1diffie-hellman-group14-sha1
Remove all DH Group Exchange primes of less than 2000 bits from the following file:
C:\Program Files (x86)\Aspera\<Enterprise Server or Point to Point>\etc\moduli
23 June 2015: Original Copy Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST) the Common Vulnerability Scoring System (CVSS) is an ‘industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.’ IBM PROVIDES THE CVSS SCORES ‘AS IS’ WITHOUT WARRANTY OF ANY KIND INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
[{“Business Unit”:{“code”:“BU053”,“label”:“Cloud & Data Platform”},“Product”:{“code”:“SS8NDZ”,“label”:“IBM Aspera”},“Component”:“”,“Platform”:[{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“All Versions”,“Edition”:“”,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}}]