Systems Insight Manager
cancel
Showing results for 
Search instead for 
Did you mean: 

HPE SMH 7.5.5 vulnerable to CVE-2016-2107

bmvm
Occasional Contributor

HPE SMH 7.5.5 vulnerable to CVE-2016-2107

HPE SMH 7.5.5 contains OpenSSL version 1.0.2g which is vulnerable to CVE-2016-2107.  When will embedded OpenSSL be updated to 1.0.2h?  Or, will a patch be released to address this vulnerability?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2107

Vendor details:

Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
======================================================

Severity: High

A MITM attacker can use a padding oracle attack to decrypt traffic
when the connection uses an AES CBC cipher and the server support
AES-NI.

This issue was introduced as part of the fix for Lucky 13 padding
attack (CVE-2013-0169). The padding check was rewritten to be in
constant time by making sure that always the same bytes are read and
compared against either the MAC or padding bytes. But it no longer
checked that there was enough data to have both the MAC and padding
bytes.

OpenSSL 1.0.2 users should upgrade to 1.0.2h

https://www.openssl.org/news/secadv/20160503.txt

1 REPLY
Andrew_Haak
Honored Contributor

Re: HPE SMH 7.5.5 vulnerable to CVE-2016-2107

The latest SMH is the 7.5.5.6, the strange thing is that the release date of this file is in the future. (august 15th)

Still the 1.0.2G version, you could try to increase security by changing the IP restricted Login to the range that you connect from, so not the whole world. You can also change binding if you have more than one Interface to have SMH to listen to the OOB interface and not production. All these don't fix the problem but if you can't access the SMH you can't use the exploit.

 

    • PHP to version 5.5.31
    • Curl to version 7.47.0
    • OpenSSL to version 1.0.2g
    • Libxml2 to version libxml2-2.9.
Kind regards,

Andrew