Wind River® is aware of and has analyzed the SSLv2 protocol vulnerabilities reported as CVE-2016-0703 (divide-and-conquer session key recovery in SSLv2) and CVE-2016-0704 (Bleichenbacher oracle in SSLv2).
Customers on the latest corresponding rolling cumulative patch layer (RCPL) for their version of Wind River Linux 4, 5, 6, 7, and 8 are not vulnerable.
Customers not on the latest version of software may be vulnerable and should contact Wind River Customer Support or their local Wind River representative for information regarding a fix for their version.
Additional information: This issue has been rated as Severe**.
The openssl code was refactored in March 2015 to remedy CVE-2015-0293. The refactored code is not vulnerable to CVE-2016-0703 and CVE-2016-0704.
Further information can be found on the OpenSSL project site here: https://www.openssl.org/news/secadv/20160301.txt
Remediation
Install the latest available RCPL corresponding to major Wind River Linux release.
Affected Product Information
The following is a list of Wind River products and corresponding RCPL versions that included a fix for CVE-2015-0293. The SSLv2 protocol vulnerabilities do not affect products on more recent RCPL versions than the ones listed below:
Note: *You need an account to access the Knowledge Library.
This report also includes CVE-2016-0800, referred to as DROWN (Decrypting RSA using Obsolete and Weakened eNcryption), which involves a cross-protocol attack that could lead to decryption of a TLS session by using SSLv2 and EXPORT ciphers.
Customers on the latest corresponding RCPL for their version of Wind River Linux 4, 5, 6, 7, and 8 should use the available workaround.
Customers not on the latest version of software may be vulnerable and should contact Wind River Customer Support or their local Wind River representative for information regarding a fix for their version.
Additional information: This issue has been rated as Severe**.
Further information can be found on the OpenSSL project site here: https://www.openssl.org/news/secadv/20160301.txt
Additional information can also be found at https://drownattack.com. The researchers involved with the discovery of this vulnerability have also released a paper titled DROWN: Breaking TLS using SSLv2.
Remediation
The current workaround is to apply a patch for CVE-2015-3197 and disable SSLv2. A patch for CVE-2016-0800 that disables SSLv2 and weak SSLv3 encryption is also recommended.
Affected Product Information
The following is a list of Wind River products and their vulnerability to CVE-2016-0800. For products that are affected, the remediation column identifies he appropriate online support page.
Product |
Vulnerable |
Versions |
Remediation |
Wind River Linux |
Yes |
8.x |
Hot patch |
Wind River Linux |
Yes |
7.x |
Hot patch |
Wind River Linux |
Yes |
6.x |
Hot patch |
Wind River Linux |
Yes |
5.0.1.x |
Hot patch |
Wind River Linux |
Yes |
4.3.0.x |
|
Wind River Intelligent Device Platform |
Yes |
1.0, 2.0.x |
Hot patch |
Wind River Intelligent Device Platform XT |
Yes |
3.0.x |
Hot patch |