Wind River® is aware of and has analyzed the SSLv2 protocol vulnerabilities reported as CVE-2016-0703 (divide-and-conquer session key recovery in SSLv2) and CVE-2016-0704 (Bleichenbacher oracle in SSLv2).

Customers on the latest corresponding rolling cumulative patch layer (RCPL) for their version of Wind River Linux 4, 5, 6, 7, and 8 are not vulnerable.


Customers not on the latest version of software may be vulnerable and should contact Wind River Customer Support or their local Wind River representative for information regarding a fix for their version.


Additional information: This issue has been rated as Severe**.


The openssl code was refactored in March 2015 to remedy CVE-2015-0293. The refactored code is not vulnerable to CVE-2016-0703 and CVE-2016-0704.


Further information can be found on the OpenSSL project site here: https://www.openssl.org/news/secadv/20160301.txt


** https://knowledge.windriver.com/en-us/020_Product_Support_Policies/010/000_Security_Vulnerability_Response_Policy

Remediation

Install the latest available RCPL corresponding to major Wind River Linux release.

Affected Product Information


The following is a list of Wind River products and corresponding RCPL versions that included a fix for CVE-2015-0293. The SSLv2 protocol vulnerabilities do not affect products on more recent RCPL versions than the ones listed below:



Product

Versions

RCPL with fix

Wind River Linux

8.x

Not vulnerable

Wind River Linux

7.x

Rolling Cumulative Patch Layer (RCPL4)
https://knowledge.windriver.com/en-us/000_Products/000/010/000/000/000_Wind_River_Linux_7.0.0.4 *

Wind River Linux

6.x

Rolling Cumulative Patch Layer (RCPL19)
https://knowledge.windriver.com/en-us/000_Products/000/010/010/000/000_Wind_River_Linux_6.0.0.19 *

Wind River Linux

5.0.1.x

Rolling Cumulative Patch Layer (RCPL25)
https://knowledge.windriver.com/en-us/000_Products/000/010/020/000/000_Wind_River_Linux_5.0.1.25

Wind River Linux

4.3.0.x

Rolling Cumulative Patch Layer (RCPL29)
https://knowledge.windriver.com/en-us/000_Products/000/010/030/000/000_Rolling_Cumulative_Patch_Layer_29_for_Wind_River_Linux_4.0___Update_Pack_3 *

Wind River Intelligent Device Platform

1.0, 2.0.x

Rolling Cumulative Patch Layer (RCPL25)
https://knowledge.windriver.com/en-us/000_Products/000/010/020/000/000_Wind_River_Linux_5.0.1.25 *

Wind River Intelligent Device Platform XT

3.0.x

Rolling Cumulative Patch Layer (RCPL4)
https://knowledge.windriver.com/en-us/000_Products/000/010/000/000/000_Wind_River_Linux_7.0.0.4 *



Note: *You need an account to access the Knowledge Library.


This report also includes CVE-2016-0800, referred to as DROWN (Decrypting RSA using Obsolete and Weakened eNcryption), which involves a cross-protocol attack that could lead to decryption of a TLS session by using SSLv2 and EXPORT ciphers.


Customers on the latest corresponding RCPL for their version of Wind River Linux 4, 5, 6, 7, and 8 should use the available workaround.


Customers not on the latest version of software may be vulnerable and should contact Wind River Customer Support or their local Wind River representative for information regarding a fix for their version.


Additional information: This issue has been rated as Severe**.

Further information can be found on the OpenSSL project site here: https://www.openssl.org/news/secadv/20160301.txt


Additional information can also be found at https://drownattack.com. The researchers involved with the discovery of this vulnerability have also released a paper titled DROWN: Breaking TLS using SSLv2.


** https://knowledge.windriver.com/en-us/020_Product_Support_Policies/010/000_Security_Vulnerability_Response_Policy

Remediation

The current workaround is to apply a patch for CVE-2015-3197 and disable SSLv2. A patch for CVE-2016-0800 that disables SSLv2 and weak SSLv3 encryption is also recommended.

Affected Product Information


The following is a list of Wind River products and their vulnerability to CVE-2016-0800. For products that are affected, the remediation column identifies he appropriate online support page.



Product

Vulnerable

Versions

Remediation

Wind River Linux

Yes

8.x

Hot patch
http://edelivery.windriver.com/release/ols/0005-WRL8-CVE-2016-0800.patch

Wind River Linux

Yes

7.x

Hot patch
http://edelivery.windriver.com/release/ols/0005-WRL7-CVE-2016-0800.patch

Wind River Linux

Yes

6.x

Hot patch
http://edelivery.windriver.com/release/ols/0005-WRL6-CVE-2016-0800.patch

Wind River Linux

Yes

5.0.1.x

Hot patch
http://edelivery.windriver.com/release/ols/0005-WRL5-101-CVE-2016-0800.patch

Wind River Linux

Yes

4.3.0.x

Contact local customer support

Wind River Intelligent Device Platform

Yes

1.0, 2.0.x

Hot patch
http://edelivery.windriver.com/release/ols/0005-WRL5-101-CVE-2016-0800.patch

Wind River Intelligent Device Platform XT

Yes

3.0.x

Hot patch
http://edelivery.windriver.com/release/ols/0005-WRL7-CVE-2016-0800.patch