Reset Search
 

 

Article

VN 2017 001 SWEET32 CVE-2016-2183

« Go Back

Vulnerability Notice

 
Vulnerability Summary
The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.

Background (From CVE Project)
CVE-2016-2183
   Release Date:  Aug 31, 2016   (revised Feb 16, 2017 )
   CVSS v3 base score:  5.3

Other References:
https://sweet32.info
https://www.openssl.org//blog/blog/2016/08/24/sweet32/

Impact 
Allows unauthorized disclosure of information
Products Potentially Affected
The following is the vulnerability status of the software products supported by Extreme Networks for this issue:
 
ExtremeXOS (all products)Yes - Config workaround
A, B, C, D, G, I and 800 Series Fixed SwitchesInvestigating
IDS/IPS Yes - Config workaround
ExtremeWireless (IdentiFi)Yes - Cloud Connector
Extreme CloudYes
N, K, SSA, and S Modular SwitchesNo
Extreme Management (Netsight)Investigating
Extreme Control (NAC)Investigating
Extreme Analytics (Purview)Investigating
Security Information & Event ManagerInvestigating 
X-Series Secure Core Router Investigating 
XSR (X-Pedition Security Router)Investigating 
Impact Details
ExtremeXOS (all products)
  • Vulnerable Yes / No: Not vulnerable over SSL,  Yes vulnerable over SSH, which is mitigated by configuration
  • Vulnerable Component: SSH
  • Describe conditions when component Vulnerability occurs(why/when/how): When using SSH 64 bit block size cipher suites. EXOS allows you to mitigate this vulnerability by configuring the advertised ciphers (ie avoid 64 bit ciphers).  EXOS uses thttpd webserver that is not vulnerable to this type of attack because thttpd does not support persistent SSL connections, which is a requirement of the exploit.
  • Product version(s) affected: all EXOS
  • Workaround:  configure SSH to not use 64 bit ciphers.  There are two options:
    1. Use secure-mode SSH. This disables all weak and medium ciphers and allows only strong AES ciphers. Command:   "  configure ssh2 secure-mode on "   (available in EXOS 16.2 and later versions)
    2. Disable unsecure ciphers through CLI.  3des, blowfish and RC4 variants are to be disabled. (replace cipher-name to disable with <cipher> in command).  Command:   " configure ssh2 disable cipher <cipher> "  (available in EXOS 22.1 and later versions)
Workaround is for EXOS SSH Server. For client, user can specify which cipher to use at the time of connection.
  • Target Fix Release: na
A, B, C, D, G, I and 800 Series Fixed Switches
  • Vulnerable Yes / No: Investigating
  • Vulnerable Component:
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected:
  • Workaround:
  • Target Fix Release:
  • Target Month for Fix Release: ( optional)
IDS/IPS
  • Vulnerable Yes / No: Yes
  • Vulnerable Component: EMS
  • Describe conditions when component Vulnerability occurs(why/when/how):  long running EMS sessions (over 32GB data exchanged) could enable a collision attack within as little as 30 hours. In practice, this may not be possible, but it cannot be ruled out at this time.
  • Product version(s) affected: 7.x, 8.x
  • Workaround:  disable the vulnerable cipher suite, ECDHE-RSA-DES-CBC3-SHA, on the EMS
  • Target Fix Release:  tbd
  • Target Month for Fix Release: ( optional)
ExtremeWireless (IdentiFi)​
Extreme Networks Wireless Controllers:
  • Vulnerable Yes / No:  No
  • Vulnerable Component:
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected:
  • Workaround:
  • Target Fix Release:
Extreme Networks Wireless 26xx, 36xx, 37xx series APs
  • Vulnerable Yes/ No:  No
  • Vulnerable Component:
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected:
  • Workaround:  the component is present but disabled
  • Target Fix Release:
Extreme Networks Wireless 38xx and 39xx series APs
  • Vulnerable Yes/ No: Yes
  • Vulnerable Component:  Cloud Conenctor
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected:  v10.01 and later
  • Workaround:
  • Target Fix Release:  v10.31.02   and   v10.41
  • Target Month for Fix Release:
ExtremeCloud
  • Vulnerable Yes / No:  Yes
  • Vulnerable Component:  ExtremeCloud (Cloud Connector Server)
  • Describe conditions when component Vulnerability occurs(why/when/how):  When an AP connects with a valid certificate it could negotiate a crypto algorithm that includes 3DES. This is unlikely since the APs support AES and prefer it but the CCS does not block an attempt to use 3DES. End users and unsupported devices are not supposed to connect to CCS and cannot unless they have a certificate issued by the Extreme Networks PKI for hardware products.
  • Product version(s) affected:  3.01.01 to 3.21.03
  • Workaround:   No customer work around at this time. The risk is minimal as APs will connect and prefer to use AES over 3DES.
  • Target Fix Release:  No later than release 4.0
  • Target Month for Fix Release: target July 2017
N, K, SSA, and S Modular Switches
  • Vulnerable Yes / No: No;  EOS is not vulnerable to the SWEET32 attack because it does not contain an HTTP-over-TLS (HTTPS) web server. EOS's only use of TLS is for secure communication with an OpenFlow controller, but this connection requires mutual authentication between the switch and the controller. It is therefore impossible for a malicious client to establish a TLS connection with the switch, initiate large amounts of transactions, thus allowing the attacker to recover a cookie.
  • Vulnerable Component:
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected:
  • Workaround:
  • Target Fix Release:
Extreme Management (NetSight)
  • Vulnerable Yes / No: Investigating
  • Vulnerable Component:
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected:
  • Workaround:
  • Target Fix Release:
  • Target Month for Fix Release: ( optional)
Extreme Control (NAC)
  • Vulnerable Yes / No: Investigating
  • Vulnerable Component:
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected:
  • Workaround:
  • Target Fix Release:
  • Target Month for Fix Release: ( optional)
Extreme Analytics (Purview)
  • Vulnerable Yes / No: Investigating
  • Vulnerable Component:
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected:
  • Workaround:
  • Target Fix Release:
  • Target Month for Fix Release: ( optional)
Security Information & Event Manager
  • Vulnerable Yes / No: Investigating
  • Vulnerable Component:
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected:
  • Workaround:
  • Target Fix Release:
  • Target Month for Fix Release: ( optional)
X-Series Secure Core Router
  • Vulnerable Yes / No: Investigating
  • Vulnerable Component:
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected:
  • Workaround:
  • Target Fix Release:
  • Target Month for Fix Release: ( optional)
XSR (X-Pedition Security Router)
  • Vulnerable Yes / No: Investigating
  • Vulnerable Component:
  • Describe conditions when component Vulnerability occurs(why/when/how):
  • Product version(s) affected:
  • Workaround:
  • Target Fix Release:
  • Target Month for Fix Release: ( optional)
Repair Recommendations
The resolution to any threat or issue is dependent upon a number of things, including the setup of the computer network and how the local IT team wants to address the situation. Accordingly, in addition to updating the software as recommended in this document, the local IT team will need to analyze and address the situation in a manner that it determines will best address the set-up of its computer network. Update the software, identified in this Notice, in your Extreme Networks products by replacing it with the latest releases from Extreme Networks including those listed above.

Firmware and software can be downloaded from www.extremenetworks.com/support.
Legal Notice
This advisory notice is provided on an “as is” basis and Extreme Networks makes no representations or warranties of any kind, expressly disclaiming the warranties of merchantability or fitness for a particular use. Use of the information provided herein or materials linked from this advisory notice is at your own risk. Extreme Networks reserves the right to change or update this document at any time, and expects to update this document as new information becomes available. The information provided herein is applicable to current Extreme Networks products identified herein and is not intended to be any representation of future functionality or compatibility with any third-party technologies referenced herein. This notice shall not change any contract or agreement that you have entered into with Extreme Networks.

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255