Wireless Access

Reply
Occasional Contributor I

WebUI & Sweet32 (CVE-2016-2183)

Got dinged by InfoSec for the Sweet32 issue recently. I reviewed the ArubaOS hardening guide and confirmed that we are running the default `web-server profile ciphers high` configuration. The cipher suites in question are: TLS_RSA_WITH_3DES_EDE_CBC_SHA & TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA. I can't find any mention of deprecating those suites in any recent release notes. Is there anyway to disable them manually?

Moderator

Re: WebUI & Sweet32 (CVE-2016-2183)

This should have been resolved under bug 127301 in the following versions:

  • 6.3.1.22
  • 6.4.2.18
  • 6.4.3.10
  • 6.4.4.6
  • 6.5.0.0

I didn't have a look at the release notes to see if/how this was documented though...

 

Here is the actual source code where the ciphersuites are defined, so you can see what is included.  The intent here was to make the non-FIPS version of software behave just like the FIPS version of software.  As you'll see, 3DES has been removed:

#define HIGH_CIPHER_SUITE "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA"
 
#define MEDIUM_CIPHER_SUITE "IDEA-CBC-SHA:RC4-SHA:RC4-MD5:IDEA-CBC-MD5:RC2-CBC-MD5" 

 #define LOW_CIPHER_SUITE "DES-CBC-SHA:DES-CBC-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA"

 

---
Jon Green, ACMX, CISSP
Security Guy
Occasional Contributor I

Re: WebUI & Sweet32 (CVE-2016-2183)

Thanks, Jon. I just enumerated ciphers on a couple boxes running 6.4.4.9. They are working as you have described. Thanks for the code snippet. That should be enough to shake the security guys ;).

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: