SA-C0056 Information About DROWN Vulnerability

Home , DROWN attack, Heartbleed, Poodle

Alcatel-Lucent Security Advisory No. SA-C0056 Ed. 01 Information about DROWN vulnerability Summary DROWN stands for Decrypting RSA with Obsolete and Weakened eNcryption. The DROWN attack has been reported in March 1st 2016 allowing a remote attacker to execute harmful actions on a vulnerable server. A server is considered as vulnerable if - it allows SSLv2 connections or - it shares a public key with another vulnerable server allowing SSLv2 connections. The severity is considered as the same for Heartbleed and the official risk is currently rated High. The classification levels are Very High, High, Medium and Low. This vulnerability is identified under CVE-2016-0800 and is associated to seven other vulnerabilities affecting the OpenSSL library (CVE-2016-0702, CVE-2016-0703, CVE-2016-0704, CVE-2016-0705, CVE-2016-0797, CVE-2016-0798, CVE-2016-0799). The analysis of these vulnerabilities is followed with a particular attention since it concerns SSL and TLS cryptographic protocols that have been challenged these last years with Heartbleed and Poodle attacks A closer inspection reveals that the DROWN attack may be executed on a vulnerable server in under a minute using a single PC and the general variant of the attack can be conducted in under 8 hours. Alcatel-Lucent Enterprise voice products using affected version of OpenSSL 0.9.8, 1.0.0 and 1.0.1 are concerned by this security alert. However, although OpenSSL versions are affected, the protocol SSLv2 (as well as SSLv3) was removed in Alcatel-Lucent Enterprise voice products. OpenSSL 1.0.2 servers should upgrade to 1.0.2g OpenSSL 1.0.1 servers should upgrade to 1.0.1s The Alcatel-Lucent Enterprise Security Team is currently investigating implications of this security flaw and working on corrective measures. This note is for informational purpose about the DROWN vulnerability. References CVE-2016-0800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800 Advisory severity  CVSS Base score : 5.8 (HIGH) - AV:N/AC:M/Au:N/C:P/I:P/A:N CVE-2016-0799 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0799 Advisory severity  CVSS Base score : 2.6 (LOW) - AV:N/AC:H/Au:N/C:N/I:N/A:P CVE-2016-0798 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0798 Advisory severity  CVSS Base score : 4.3 (LOW) - AV:N/AC:M/Au:N/C:N/I:N/A:P CVE-2016-0797 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0797 Advisory severity  CVSS Base score : 4.3 (LOW) - AV:N/AC:M/Au:N/C:N/I:N/A:P CVE-2016-0705 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0705 Advisory severity  CVSS Base score : 2.6 (LOW) - AV:N/AC:H/Au:N/C:N/I:N/A:P CVE-2016-0704

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0704 Advisory severity  CVSS Base score : 4.3 (MEDIUM) - AV:N/AC:M/Au:N/C:P/I:N/A:N CVE-2016-0703 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0703 Advisory severity  CVSS Base score : 4.3 (MEDIUM) - AV:N/AC:M/Au:N/C:P/I:N/A:N CVE-2016-0702 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0702 Advisory severity  CVSS Base score : 2.6 (LOW) - AV:L/AC:H/Au:N/C:P/I:P/A:N

DROWN documentation references  https://drownattack.com  https://www.openssl.org/news/secadv/20160301.txt  https://access.redhat.com/articles/2176731

Description of the vulnerabilities Information about DROWN attack. DROWN stands for Decrypting RSA with Obsolete and Weakened eNcryption. The DROWN attack has been reported in March 1st 2016 allowing a remote attacker to execute harmful actions on a vulnerable server. A server is considered as vulnerable if - it allows SSLv2 connections or - it shares a public key with another vulnerable server allowing SSLv2 connections. The severity is considered as the same for Heartbleed and the official risk is currently rated High. The classification levels are Very High, High, Medium and Low. This vulnerability is identified under CVE-2016-0800 and is associated to seven other vulnerabilities affecting the OpenSSL library. CVE-2016-0800 A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker can potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN. CVE-2016-0799 The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-2842. CVE-2016-0798 A memory leak flaw was found in the way OpenSSL performed SRP user database look-ups using the SRP_VBASE_get_by_user() function. A remote attacker connecting to certain SRP servers with an invalid user name could leak approximately 300 bytes of the server's memory per connection. CVE-2016-0797 An integer overflow flaw, leading to a NULL pointer dereference or a heap-based memory corruption, was found in the way some BIGNUM functions of OpenSSL were implemented. Applications that use these functions with large untrusted input could crash or, potentially, execute arbitrary code. CVE-2016-0705

A double-free flaw was found in the way OpenSSL parsed certain malformed DSA (Digital Signature Algorithm) private keys. An attacker could create specially crafted DSA private keys that, when processed by an application compiled against OpenSSL, could cause the application to crash. CVE-2016-0704 It was discovered that the SSLv2 protocol implementation in OpenSSL did not properly implement the Bleichenbacher protection for export cipher suites. An attacker could use a SSLv2 server using OpenSSL as a Bleichenbacher oracle. CVE-2016-0703 It was discovered that the SSLv2 servers using OpenSSL accepted SSLv2 connection handshakes that indicated non- zero clear key length for non-export cipher suites. An attacker could use this flaw to decrypt recorded SSLv2 sessions with the server by using it as a decryption oracle. CVE-2016-0702 A side-channel attack was found that makes use of cache-bank conflicts on the Intel Sandy-Bridge microarchitecture. An attacker who has the ability to control code in a thread running on the same hyper-threaded core as the victim's thread that is performing decryption, could use this flaw to recover RSA private keys.

Status on Alcatel-Lucent Enterprise products For supported products and extended support contracts on former versions, Alcatel-Lucent Enterprise will provide fixes. For unsupported products, please refer to official patch provided by the OS vendors depending on your OS version. Status on Alcatel-Lucent Enterprise products Products concerned by the DROWN vulnerability OpenTouch Edge Server Up to 2.1.1 OpenTouch Business Edition Up to 2.1.1 Notes: Include OT server and virtual machine of OmniPCX Enterprise Media Services OpenTouch Multimedia Services Up to 2.1.1 Notes: Include OT server and virtual machine of FlexLM OpenTouch Messaging Center Up to 2.1.1

Products NOT concerned by the DROWN vulnerability Alcatel-Lucent 8 Series IP Touch Phones Phased-out. Alcatel-lucent Premium Deskphones R210.3.20.41 and above 8002/8012 Deskphone R110.3.55.2 OmniTouch 8082 My IC Phone R300.1.15.9 and above 8088 Smart Deskphone R100.1.008.2 and above OpenTouch Connection 2.1.205.002 OpenTouch Conversation 2.1.105.003 OTC Web Not impacted since depend on OTC One the version of web browser OTC Meeting Manager 4059 IP attendant Not impacted 4059 EE IP attendant v1.6.1.6 and above OmniTouch 8460 Advanced Communications Server Note: concerns only standalone installation OmniTouch 8660 My Teamwork Unified Messaging OmniTouch 8670 Automated Message Delivery System Omnivista 8770 Network Management system R.2.6.7.01and above OpenTouch Messaging Center OT2.1.1 and above OpenTouch Fax Center 7.5.2.98 and above OpenTouch Session Border Controller R2.0 and 2.1.x Please, report to the FAQ OmniTouch Contact Center Standard Edition Not impacted OmniTouch 8400 Instant Communications Suite 6.7.400.300.d and above IP Touch Security Solution Not impacted Note: concerns only SIP-TLS OmniPCX Office Rich Communication Edition From R8.0 to above vmFlex 2.1.100.005 Solution for affected products

Fixed Software Versions/Patches

Product Fix in Date OpenTouch Edge Server Under investigation OpenTouch Business Edition 2.1.100.06x OT 2.1.1 MD2 (2.1.100.06x) will be Notes: available beg of June 2016

Include OT server and virtual machine of OmniPCX Enterprise Media Services OpenTouch Multimedia Services 2.1.100.06x OT 2.1.1 MD2 (2.1.100.06x) will be Notes: available beg of June 2016

Include OT server and virtual machine of FlexLM OpenTouch Messaging Center 2.1.100.06x OT 2.1.1 MD2 (2.1.100.06x) will be available beg of June 2016

Frequently Asked Questions

Where can I find the release policy for ALE products? Release policy for ALE products is available on Alcatel-lucent Enterprise Business Portal https://businessportal.alcatel-lucent.com

Where can I download ALE software patches? Software patches will be available on Alcatel-lucent Enterprise Business Portal https://businessportal.alcatel-lucent.com

Are Red Hat OS releases on ICS servers supported by ALE?

ALE does not provide any Operating System (OS) support for the ICS releases.

If you are running on an affected RHEL (from version 4 to version 7), we recommend that you upgrade the glibc component according to your Red Hat vendor’s instructions (https://access.redhat.com/articles/1332213).

Does it exist a workaround while expecting security patch ? There is no need to update web browser or any TLS client since the mitigation must be done at server level. A possible network workaround consists in filtering the SSLv2 traffic on the firewall.

Do I need to renew my TLS certificate because of the DROWN attack? Although a server is considered as affected by the DROWN attack, there is no need to renew the TLS certificate of the server because the DROWN attack does not directly expose private RSA keys but focuses on individual TLS session keys.

How can I set the mitigation of DROWN in 8770 ? Administrator may activate or deactivate the mechanism of protection against the POODLE vulnerability in order to maintain interoperability for the hardphones, this operation disables the use of SSLvX protocols thus protecting against DROWN too. This is done through the C:\8770\bin\ToolsOmniVista.exe utility (menu 3 – Disable SSLv3)

How can I set the mitigation of DROWN in OTSBC ? Version 2.0 and 2.1.x: 1. Open the TLS Contexts table (Configuration tab > System menu > TLS Contexts). 2. Select a context that you want to configure by selecting its table row, and then clicking Edit. The following dialog box appears: 3. Change the 'Version' parameter's value to 1. Note: Only TLS 1.0 is used. Clients attempting to connect to the device using any other version (SSLv2, SSLv3) are rejected. 4. Click Submit, and then save ("burn") your settings to flash memory. 5. Repeat the above steps for all active TLS Contexts.

How can I set the mitigation of Poodle in Reverse Proxy ? Nginx: Nginx provides a procedure to disable SSLv2 and SSLv3. First, locate any use of the directive ssl_protocols in your configuration that specifies the use of SSLv2, for example: ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;

Remove these directives, or change them to this: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv2 ref: DROWN and SSLv3 ref: POODLE

Then change the default protocol support. Locate the http { } block in your nginx.conf configuration file and add the following line to the top of the block: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv2 ref: DROWN and SSLv3 ref: POODLE

Locate the mail { } block in your nginx.conf configuration file (if you have one) and add the same line to the top of the block.

Finally, restart nginx using the command line: # nginx –s reload

Sources: http://nginx.com/blog/nginx-poodle-ssl/ https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol

BlueCoat ProxySG: SGOS 6.5 disables SSL v3 by default for all connections other than SSL/TLS proxy. SSL v3 can be disabled for SSL/TLS proxy. SGOS 5.5 and 6.1 thru 6.4 enable SSL v3 by default for all connections. SSL v3 can be disabled for all connections

History Ed.01 (2016 April 25th) : Vulnerability Information Creation