IBM Support

Security Bulletin: SLOTH - Weak MD5 Signature Hash vulnerability may affect DS8000

Security Bulletin


Summary

SLOTH - Weak MD5 Signature Hash vulnerability may affect DS8000 (CVE-2015-7575)

Vulnerability Details

CVEID: CVE-2015-7575

DESCRIPTION: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109415 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)


Detail

Port 1750 is used by the DS Network Interface legacy client to connect to DS8000 services and is documented as having an RSA1024 public key signed with MD5. For more information please see the link below:
http://www.ibm.com/support/knowledgecenter/ST5GLJ_8.0.0/com.ibm.storage.ssic.help.doc/f2c_securitybp_updatecert.html

Disabling this port has been available since R7.2 ( and is supported in all levels higher than this). The facility to disable this port was also made available in R6.3SP13. For level information please see:
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004456



IBM recommends disabling the legacy port ( by using the dscli manageaccess command) after verifying that all applications which use the DS Network Interface Client have been updated to support port 1751, and updating the DS8000 microcode to at least the versions indicated above. Disabling the port will ensure that there is no exposure to this vulnerability.


Please note that versions of JAVA later than January 2016 may also have disabled support for MD5 signed keys and effectively force applications which embed the DS Network Interface Client to use the secure port only. Consult the applicable product documentation for information on how to re-enable this support if use of the legacy port is required.

Also note that DSCLI must be at a minimum R7.2 level ( even for R6.3 users) to be able to issue the manageaccess command.

For dscli download information please select the applicable levels at:

https://www.ibm.com/support/fixcentral/options

Affected Products and Versions

All

Remediation/Fixes

N/A

Workarounds and Mitigations

See the detail above

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

Added a note to indicate minimum DSCLI levels required.
Provide Link to FixCentral for DSCLI dowload.
Use generic link to FixCentral

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"ST8NCA","label":"Disk systems->DS8870"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"Enterprise","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"ST8NCA","label":"Disk systems->DS8870"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"STUVMB","label":"Disk systems->DS8700"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"STXN8P","label":"IBM DS8800"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"ST5GLJ","label":"DS8880"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
24 May 2022

UID

ssg1S1005735

Page Feedback