IBM Support

Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Sterling Connect:Direct for UNIX (CVE-2015-7575)

Created by Brent Choate on
Published URL:
http://www.ibm.com/support/docview.wss?uid=swg21974888
539263

Security Bulletin


Summary

The MD5 “SLOTH” vulnerability on TLS 1.2 affects IBM Sterling Connect:Direct for UNIX.

Vulnerability Details

CVEID: CVE-2015-7575
DESCRIPTION: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109415 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)

Affected Products and Versions

IBM Sterling Connect:Direct for Unix 4.1.0
IBM Sterling Connect:Direct for Unix 4.0.0

Remediation/Fixes

V.R.M.F

APARRemediation/First Fix
4.1.0IT02558Apply 4.1.0.4 iFix 027 or later, available on Fix Central
4.0.0IT02558Apply 4.0.00 Fix 114 or later, available on IWM
For older versions/releases IBM recommends upgrading to a fixed, supported version/release of the product.

Workarounds and Mitigations

For each record listed in the C:D Secure+ Admin Tool, go to its TLS/SSL Protocol > TLS/SSL Options tab and remove any cipher suites listed as Enabled that use MD5 signatures.

You should verify applying this configuration change does not cause any compatibility issues. Not disabling the MD5 signature hash will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the MD5 signature hash and take appropriate mitigation and remediation actions.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

Reported to IBM by Karthikeyan Bhargavan at INRIA in Paris, France

Change History

19 January 2016: Original Version Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSKTYY","label":"IBM Sterling Connect:Direct for UNIX"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"}],"Version":"4.1;4.0","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

Document Information

Modified date:
24 July 2020

UID

swg21974888

Page Feedback