search cancel

Is Symantec Messaging Gateway vulnerable to CVE-2016-2183 aka Sweet32

book

Article ID: 163850

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

A vulnerability scanner indicates that Messaging Gateway (SMG) may be affected by CVE-2016-2183 / Sweet32.

Cause

From mitre.org:

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.

Resolution

No supported releases of Messaging Gateway are vulnerable to the "Sweet 32" vulnerability although some vulnerability scanners may report a false positive.

  • HTTPS: Not vulnerable. Web Interface (ports 443,8443,41443) - “Sweet 32” depends on a 64 bit key. Current versions of SMG use 112 to 168 bits for Triple DES and is immune to 64 bit DES issues such as “sweet 32”.
  • SMTP/TLS: (port 25) The version of OpenSSL SMG includes a fix for CVE-2016-2183.