× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. January 2018

Re: CERT Advisory: #144389 Return of Bleichenbacher's Oracle Threat (ROBOT)

I have opened a PMR with IBM in hopes of some type of patch to be issued.

My limited understanding and research into the issue is that the
implementation of a patch
required to mitigate a ROBOT type padding cipher attack in the TLS RSA key
exchanged is extremely complicated.

I do have other NON-IBM systems that have these ciphers enabled that are
NOT vulnerable to the attack.

I have confirmed (by testing our environment) that Domino, System SSL and
Open SSL all are vulnerable to this attack
on the IBMi.

I have multiple vulnerability (independent) scanning engines that confirm
that in fact the IBMi system SSL, Domino and OpenSSL
are all vulnerable.

IBM's initial response is that the IBMi is NOT VULNERABLE to this style
padding attack.

I don't believe it and asked if they would be publishing a PUBLIC response
to it.

The options that IBM has recommended at this point

1. Remove the RSA ciphers. This is the most definitive method, however, as
all others including myself have indicated
this will break connections with systems that do not have support for the
newer elliptical ciphers.
unfortunately we do not and cannot control what ciphers and TLS protocols
that third party customers, government
agencies and vendors use and cannot just turn off the all the RSA ciphers.


Effective Feb1-2018, Qualys SSL Labs will flag all systems with this
vulnerability as a grade F.

2. IBMi 7.3 customers that must continue to use RSA cipher suites could
leverage IDS handshake failure policy add in
7.3 to help mitigate an actual ROBOT style oracle attack. you would
have to stand up the IBMi IDS/IPS to enable this.
unfortunately, I have played with the IDS/IPS policy and it can
break/detect a bunch of false positives.
I am not sure how realistic this really is ( a huge amount of testing
would need to be done to implement this)

I believe that IBMi 7.1 customers are out of luck as that policy does not
exist in the IDS/IPS system.

IBM's last response was terse and not very informative. I have no
intention in closing the PMR.
IBM is still researching the issue but I am unsure if it will be practical
for them to issue a patch for this issue.



Jim W Grant
Senior VP, Chief Information Officer
Web: www.pdpgroupinc.com




From: "Rob Berendt" <rob@xxxxxxxxx>
To: "Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx>
Date: 01/03/2018 09:40 AM
Subject: Re: CERT Advisory: #144389 Return of Bleichenbacher's
Oracle Threat (ROBOT)
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



<snip>
So did this change the OPSYS list of SSL ciphers? I can't recall. I
never
was on V7R1.
</snip>

And that's my point.


Rob Berendt

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.