CVE-2016-2107 Padding oracle in AES-NI CBC MAC check

 

What is CVE-2016-2107?

A man in the middle attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI cryptographic acceleration instructions. An attacker can recover at least 16 bytes of data that they can get the client to send repeatedly. The small amount of data that can be recovered plus the need for the attacker to repeatedly request the same information makes a successful attack hard.

 

This document is a living document and will be updated as more information becomes available. If you have any comments or questions, please contact support.  

 

Are KEMP LoadMasters Appliances affected?

Loadmasters using Intel processors without AES-NI support ARE NOT affected.

  • LM-2000, LM-2200, LM-2400, LM-2600, LM-3500, LM-5500

 

LoadMasters using Intel processors with AES-NI support ARE affected.

  • LM-3400, LM-5000, LM-5300, LM-5400, LM-5600

 

LoadMasters using hardware SSL ASIC acceleration ARE NOT affected.

  • LM-3600, LM-5305FIPS, LM-8000, LM-8020

 

Are KEMP Virtual LoadMasters affected?

Potentially - If the underlying processor supports the AES-NI instructions the Virtual LoadMaster is affected. Please check the processor at ark.intel.com to see if “Intel® AES New Instructions” is supported.

 

Are KEMP LoadMasters running on Amazon AWS affected?

Probably – many modern AWS instance types support AES-NI instructions. The below table shows affected instance types:

  • General purpose:
    • medium, m3.large, m3.xlarge, m3.2xlarge, m4.large, m4.xlarge, m4.2xlarge, m4.4xlarge, m4.10xlarge, t2.nano, t2.micro, t2.small, t2.medium, t2.large
  • Compute optimized:
    • large, c4.xlarge, c4.2xlarge, c4.4xlarge, c4.8xlarge, c3.large, c3.xlarge, c3.2xlarge, c3.4xlarge, c3.8xlarge
  • Memory optimized:
    • 8xlarge, r3.large, r3.xlarge, r3.2xlarge, r3.4xlarge, r3.8xlarge
  • Storage optimized:
    • xlarge, d2.2xlarge, d2.4xlarge, d2.8xlarge, i2.xlarge, i2.2xlarge, i2.4xlarge, i2.8xlarge
  • GPU instances
    • 2xlarge, g2.8xlarge

 

Are KEMP LoadMasters running on Microsoft Azure affected?

Potentially - If the underlying processor supports the AES-NI instructions the LoadMaster is affected. We are investigating methods to determine this without contacting Microsoft.

 

Are KEMP Bare Metal LoadMasters affected?

Potentially - If the underlying processor supports the AES-NI instructions the Virtual LoadMaster is affected. Please check the processor at ark.intel.com to see if “Intel® AES New Instructions” is supported.

 

How can I mitigate/fix CVE-2016-2107 on affected platforms?

Option 1 (AES-GCM):

In the Virtual Service SSL Properties:

  1. Select only TLS 1.2 in supported protocols
  2. Press “Modify Cipher Set”
  3. Remove the AES and AES-CBC ciphers from the assigned ciphers list
  4. Select only the AES128/256 GCM mode ciphers

 

Please note that this mitigation relies on TLS 1.2 as AES in Galois Counter Mode (GCM) is only supported in the TLS v1.2 standards and is not backwards compatible with TLS 1.1/1.0.

 

TLS 1.2 is recommended for all customers unless there is a need to support legacy clients. If you are unsure if your clients are able to support TLS 1.2 please see https://www.ssllabs.com/ssltest/clients.html for more information.

 

Option 2 (3 Key Triple DES):

In the Virtual Service SSL Properties:

  1. Select TLS1.1 and/or TLS 1.2
    1. SSLv3 is very broken and should never be used
    2. TLS 1.0 has some weaknesses and should only be used with caution and a through understanding of associated risks
  2. Remove the AES and AES-CBC ciphers from the assigned ciphers list
  3. Select the AES128/256 GCM mode ciphers
  4. Add the “DES-CBC3” ciphers in the order shown in the WUI interface

 

Please note that this mitigation uses three key triple-DES encryption (a precursor to AES) which does not have the same weaknesses as 2 key triple DES or standard DES and is supported on a variety of legacy clients.  This encryption method is compute intensive and can increase Loadmaster CPU utilization.

 

Will KEMP provide a new version of the LoadMaster Operating System (LMOS) which fixes CVE-2016-2107?

Yes, a hotfix is in development and will be provided after appropriate QA. This article will be updated May 6, 2016 to reflect when that hotfix will be available.

 

Is KEMP360™ affected?

Potentially – In a terminal ‘cat /proc/cpuinfo’ to determine if the underlying platform supports the AES-NI instructions. If so, please contact support to determine mitigation strategy.

   

Is KEMP OpenSSL kept up to date?

As part of the KEMP security response process – every new version of OpenSSL and the corresponding patches are evaluated based on a variety of factors (risk mitigation, performance, functionality, etc). KEMP engineering in conjunction with the Security Alert team then decide on the best course of action (backport specific fixes or update OpenSSL in entirety) and release mechanism (create a new release, back port to current/previous release, wait for next release, etc). As every vulnerability has a different likelihood of occurrence and different risk impact – our process is flexible while still protecting our customers.

 

Does KEMP track upstream security vulnerabilities?

Yes. Our job as a vendor is for us to understand, manage, and accept residual risk – we have policies and procedures in place to proactively monitory and address security issues when those occur.

We are ultimately responsible for the risk profile of our product - our goal is to ship with no known vulnerabilities.  When vulnerabilities are found our our goal is to communicate honestly and clearly and get fixes out as soon as responsibly possible.

 

Please contact our support engineers if you have any questions on your LoadMaster configuration. You can open a support ticket here.

 

Was this article helpful?

0 out of 0 found this helpful

Comments

Avatar
James Rago Global Support Manager

Our 7.1-34.1 release addresses this vulnerability by upgrading Openssl to 1.0.2h. This firmware is available now as our current GA release.

Avatar
mikenorton

LOL: "This article will be updated May 6, 2016 to reflect when that hotfix will be available." Apparently not.

Avatar
it

This document shows that the LM-3600 appliances ARE NOT affected, but they are. 7.1.34.1 'fixes' the vulnerability that the LM-3600 does not have?