Security Bulletin: IBM Tivoli Access Manager for e-business and IBM Security Access Manager for Web software releases are affected by a vulnerability known as the SWEET32 Birthday attack (CVE-2016-2183)

Workarounds and Mitigations

The Sweet32 Birthday vulnerability only affects Triple DES Ciphers. Specifically, it affects the following ciphers:
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
In the reverse proxy configuration file, these ciphers are collectively known as DES-168.

The Sweet32 Birthday vulnerability only comes into effect when one of the DES-168 ciphers is used and more than 32G data is sent over a single connection. If single connections are not transferring more than 32G of data (or not using one of above ciphers) then no action is required.

Otherwise, DES-168 ciphers need to be disabled to prevent exposure to Sweet32 Birthday attacks.

Disabling DES-168

Check whether your Access Manager Runtime configuration includes either of the following settings:
- FIPS mode is enabled (versions 6.1, 6.1.1, 7.0), or
- The SSL compliance setting (ISAM 7 only) is set to either NSA Suite B 128 or NSA Suite B 192

If so, you must check that 'SSL Quality of Protection management' either isn't enabled or doesn't allow DES-168 ciphers in each of the reverse proxy configuration files.

The Access Manager Runtime configuration is stored in pd.conf. On Unix/Linux systems, this configuration file is located at /opt/PolicyDirector/etc/pd.conf. On Windows, this configuration file is located at <isam installdir>\PolicyDirector\etc\pd.conf.

In TAMeb 6.1 and 6.1.1 environments, you can check the FIPS mode enabled setting, ssl-enable-fips, in the Runtime configuration file:

ssl-enable-fips = yes

In IBM Security Access Manager 7.0 software environments, you can check whether the ssl-compliance setting has been set to either FIPS, suite-b-128 or suite-b-192:

ssl-compliance = fips
or
ssl-compliance = suite-b-128
or
ssl-compliance = suite-b-192

If you have FIPS mode enabled (versions 6.1, 6.1.1 and 7.0) or one of the above ssl-compliance settings in an ISAM 7 software environment, you must ensure that the 'SSL Quality of Protection management' is either disabled or doesn't allow DES-168 ciphers.

In all other environments (with FIPS and NSA Suite B disabled), make sure 'SSL Quality of Protection management' is enabled and doesn't enable DES-168 ciphers in each of the reverse proxy configuration files.

The 'SSL Quality of Protection management' setting is located in the WebSEAL configuration file (webseald-<instance>.conf).

[ssl-qop]
ssl-qop-mgmt = yes

If ssl-qop-mgmt is enabled (ssl-qop-mgmt = yes) then the allowed ciphers and the order in which the ciphers will be negotiated are specified in the [ssl-qop-mgmt-default] stanza.

Make sure that Triple DES (both DES-168 and FIPS-DES-168) are not in the list of allowed ciphers.
Note: The order of ciphers in the list is the order in which the ciphers will be negotiated.

Remove the *DES* ciphers from the [ssl-qop-mgmt-default] stanza.
For example:
Before
[ssl-qop-mgmt-default]
default = AES-128
default = DES-168
default = FIPS-DES-168
default = AES-256

After
[ssl-qop-mgmt-default]
default = AES-128
default = AES-256

You must also update the [ssl] cipher specs for the Policy Server (in ivmgrd.conf) and Authorization Servers (in <instance>-ivacld.conf)

Update the following entries in the [ssl] stanza to include only acceptable ciphers.

[ssl]
tls-v12-cipher-specs
tls-v11-cipher-specs
tls-v10-cipher-specs
ssl-v3-cipher-specs (if using SSLv3 which is not recommended*)

*Note: The use of SSLv3 is not recommended due to known vulnerabilities. See http://www-01.ibm.com/support/docview.wss?uid=swg21691605.

TLS v1.2

The SSL TLS v1.2 ciphers affected by the Sweet32 birthday vulnerability are TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA and TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

If ssl-compliance is either NSA Suite B 128 or NSA Suite B 192 then the above ciphers are disabled.

Otherwise, you need to ensure that they are not included in the configured list of TLS v1.2 cipher specs.

For example, set:
tls-v12-cipher-specs = TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Note: The Suite B Allowed TLSV12 CipherSpecs are TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 and TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS v1.1

The TLS v1.1 cipher affected by the Sweet32 birthday vulnerability is TLS_RSA_WITH_3DES_EDE_CBC_SHA.
To disable this cipher, ensure it does not appear in the configured list of TLS v1.1 cipher specs.
For example, set:
tls-v11-cipher-specs = TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA

TLS v1.0

The TLS v1.0 cipher affected by the Sweet32 birthday vulnerability is TLS_RSA_WITH_3DES_EDE_CBC_SHA.
To disable this cipher, ensure it does not appear in the configured list of TLS v1.0 cipher specs.
For example, set:
tls-v10-cipher-specs = TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA

SSLv3
The SSL v3 cipher affected by the Sweet32 birthday vulnerability is TLS_RSA_WITH_3DES_EDE_CBC_SHA

To disable this cipher, ensure that it does not appear in the configured list of SSLv3 ciphers, as specified by the ssl-v3-cipher-specs configuration entry. Note however that the use of SSLv3 and the associated ssl-v3-cipher-specs configuration entry is not recommended due to other known vulnerabilities such as POODLE.