Security Issue - IBM Domino AES GCM weak nonce generation vulnerability
Daniel Nashed – 29 March 2016 10:02:24
There is a new vulnerability affecting AES GCM ciphers which have been introduced in 9.01. FP3 (enabled by default). For very large data sets, IBM Domino Web servers using TLS and AES GCM generate a weak nonce which could be potentially used for a man-in-the-middle-attack.
All Domino 9 versions supporting those ciphers are affected and there is new IF (9.0.1 FP5 IF2) which addresses this issue.
The IBM Domino AES GCM weak nonce generation vulnerability is tracked as SPR #KLYHA6ZP4F.
If you cannot update your server you should change your cipher spec to exclude those ciphers.
The following cipher spec would only allow the CBC ciphers and leave out the 6 GCM ciphers currently supported.
notes.ini SSLCipherSpecÀ28006BC0140039C0270067C013003D0035003C002F000A
The better option would be to install IF2.
Also the new Interims Fix includes a couple of other fixes. Including a fix for the Domino Console introduced by disabling MD5 in the last JVM patch as posted before.
There is no detail how SPR #RSSNA6UU79 addressed the console issue. I had no time to test it in detail yet.
Update 31.3.2016: There is a new issue with the Server Controller if you have applied the JVM fix as well.
The solution is to re-install the latest JVM patch which has apparently a fix as well.
See this new blog post for details --> http://blog.nashcom.de/nashcomblog.nsf/dx/server-controller-issue-when-applying-9.0.1-fp5-if2.htm
SPR | Description | |
KLYHA6ZP4F | Security Bulletin: Vulnerability in IBM Domino Web Server TLS AES GCM Nonce Generation (technote 1979604) | |
EDOE9HZLXH | Using the colon character in the Domino server title break the Java console. | |
MKINA86V2A | The Java console applet needs to be updated for Oracle JVMs | |
MKINA85TJB | The java console applet needs the same fix as SODY9FFEYE (technote 1662233) | |
MKINA85TEQ | The java console applet needs the same fix as SODY9DDBD5 (technote 1662233) | |
PMGYA4CHDZ | Fixes intermittent Domino Server and Notes Client crash when organization is doing a key rollover. Crash occurs on both client and server side when trying to connect. | |
RSSNA6UU79 | Domino Console won't connect even when scontroller is running (technote 1977125) |
Details and references:
http://www.ibm.com/support/docview.wss?uid=swg21979604
CVEID: CVE-2016-0270 / DESCRIPTION: IBM Domino contains an unspecified vulnerability that could lead to session snooping using man-in-the-middle techniques.
- Comments [2]
1Sascha Troll 30.03.2016 16:09:35 Security Issue - IBM Domino AES GCM weak nonce generation vulnerability
After installing this fix, I am not longer able to connect to Domino Console now.
Updating to the new Client Fix 9.0.1FP5SHF237 also wont change.
I checked the java security settings and all recommendations arent valid for the security file on my server.
Have to open a PMR I think.
2Craig Wiseman 31.03.2016 12:20:53 Security Issue - IBM Domino AES GCM weak nonce generation vulnerability
FWIW,
I installed this patch on my test server (32bit Domino on Windows) and AMgr crashed the server every time it started.... with no logging on why and no NSD.
I then did a clean install on 9.0.1, applied FP5 and then this hotfix, and AMgr still died.
I then rolled back to FP5 and applied IF1 and things are stable. I'm going to look at what agents are scheduled and see if there's something odd with my set up.
FYI/YMMV