Customers using secure network protocols such as https and ssh with the Remote Supervisor Adapter II are impacted by a recently discovered weakness in the generation of RSA keys that are used with those protocols. The weakness in the key generation process may allow the corresponding private key to be remotely compromised by an attacker.
Description:
Customers using secure network protocols such as https and ssh with the Remote Supervisor Adapter II are impacted by a recently discovered weakness in the generation of RSA keys that are used with those protocols. The weakness in the key generation process may allow the corresponding private key to be remotely compromised by an attacker.
CVSS:
CVSS Base Score: 7.8
CVSS Temporal Score: Undefined
CVSS Environmental Score*: See <http://xforce.iss.net/xforce/xfdb/75885> for the current score
CVSS String: (AV:N/AC:L/Au:N/C:C/I:N/A:N)
List the affected versions/releases/platforms, as best possible.
The recommended solution is to apply the fix for the Remote Supervisor Adapter II in each named product as soon as practical. After applying the fix, generate new ssh keys and self-signed certificates, or certificate signing requests to be used by ssh and https protocols on the Remote Supervisor Adapter II. Please see below for information on the firmware fixes available.
Remote Supervisor Adapter II firmware for System x3850 M2 and System x3950 M2:
Remote Supervisor Adapter II firmware for System x3650:
The vulnerability was reported to IBM during a larger security study by researchers at the University of Michigan and UC San Diego. https://freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.