CVE-2016-2183: openssl: Birthday attacks on 64-bit block ciphers aka triple-des (SWEET32)
This document (7017985) is provided subject to the disclaimer at the end of this document.
SUSE Linux Enterprise Server 12 GA LTSS (SLES 12 GA LTSS)
SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
SUSE Linux Enterprise Server 11 Service Pack 3 LTSS (SLES 11 SP3 LTSS)
SUSE Linux Enterprise Server 11 Service Pack 2 LTSS (SLES 11 SP2 LTSS)
The codename is SWEET32 and it was released on https://sweet32.info
The amount of traffic needed to break such a 64Bit cipher is high (3 digit GB range) and it needs to be sniffable by a local attacker, so the severity of this vulnerability has been marked as "moderate".
SUSE will release OpenSSL updates that will move the 3DES ciphers from the "HIGH" security list to the "MEDIUM" security list. This will benefit services that use the "HIGH" SSL cipher string keyword to only allow secure ciphers.
Block ciphers that provide only 64-Bit of safety are for example Triple-DES or Blowfish.
The SWEET32 attach has several preconditions that make the attack unlikely:
- Several gigabytes of data need to be generated and also sniffed and plain text patterns have to be present
- The attacker has to rely on weak 64-Bit block ciphers being used used for the communication
SSL / TLS mitigation
For SSL/TLS usage, all SUSE products by default use stronger block ciphers (AES) which provide either 128 or 256 bit block sizes.
All TLS connections will use the best ciphers available and are then not affected by this vulnerability.
Especially OpenSSL 1.0.1 on SUSE Linux Enterprise Server 12 uses a cipher list order sorted by strength.
The Triple-DES cipher is currently only listed as fallback cipher for very old servers and should be disabled. To do so simply add "!3DES" at the end of the standard OpenSSL cipher string configuration, e.g. in Apache2 "SSLCipherSuite".
OpenVPN uses the blowfish cipher by default. This should be changed in the configuration file by using the "cipher" keyword.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7017985
- Creation Date:25-AUG-16
- Modified Date:30-AUG-16
- NovellSUSE Linux Enterprise Server for SAP Applications
- SUSESUSE Linux Enterprise Server