Security Bulletin
Summary
The MD5 “SLOTH” vulnerability on TLS 1.2 affects IBM XIV Gen3 systems and IBM XIV Management Tools.
Vulnerability Details
|
CVEID: CVE-2015-7575 |
Affected Products and Versions
- IBM XIV Gen3 systems running microcode versions 11.0 or later are affected.
- IBM XIV Management Tools (IBM XIV GUI, XIV TOP and XCLI) up to version 4.8 (including), and IBM Hyper-Scale Manager up to version 1.9.0 (including) are affected.
Remediation/Fixes
IBM XIV Management tools: IBM XIV Management Tools version 4.8.0.1 and the bundled IBM Hyper-Scale Manager version 1.9.1 are blocking by default the usage of MD5 signature algorithms. If the customer is using certificates supplied by a 3rd party CA for the IBM Hyper-Scale Manager server, it is advised to contact the company’s CA to verify all certificates don't use MD5 signature algorithms.
The IBM XIV Management Tools hotfix can be obtained from the IBM Fix Central website at:
http://www-933.ibm.com/support/fixcentral/
| You should verify applying this fix does not cause any compatibility issues. The fix disables MD5 signature hash by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the MD5 signature hash and take appropriate mitigation and remediation actions. |
Workarounds and Mitigations
IBM XIV Gen3 systems: IBM's internally supplied certificates are not vulnerable to the attack. If the customer is using certificates supplied by a 3rd party CA, the customer should contact the company’s CA to verify all certificates don't use the RSA-MD5 or ECDSA-MD5 signature algorithms. IBM XIV Gen3 systems use SSL certificates only for LDAP, KMIP, IPSEC, or CIM services. XCLI service are not vulnerable to this attack when using the default internally supplied certificate, unless the certificate was changed by the customer.
TLS1.2 connections that use certificates, signed by RSA-MD5 or ECDSA-MD5 signature algorithms, are vulnerable to the SLOTH attack. The SLOTH attack reduces the strength of the encryption used in the specific TLS1.2 connections using these certificates.
Since storage management is usually on an internal and separate network, exposure to this vulnerability is limited to users with access to the management network.
The impact is limited to management communication only, as IBM XIV does not use SSL encryption in the data path.
| You should verify applying this configuration change does not cause any compatibility issues. Not disabling the MD5 signature hash will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the MD5 signature hash and take appropriate mitigation and remediation actions. |
Get Notified about Future Security Bulletins
References
Acknowledgement
Reported to IBM by Karthikeyan Bhargavan at INRIA in Paris, France
Change History
January 27 2016: Original Version Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
ssg1S1005615