CVE-2016-2107 AES-NI CBC MAC Check

search cancel

CVE-2016-2107 AES-NI CBC MAC Check

book

Article ID: 382748

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

External Vulnerability scan returns the following on PAM nodes:

The Exploit-DB
Reference: CVE-2016-2107
Description: OpenSSL - Padding Oracle in AES-NI CBC MAC Check - The Exploit-DB Ref : 39768

exploitdb
Reference: CVE-2016-2107
Description: OpenSSL - Padding Oracle in AES-NI CBC MAC Check

Reference: CVE-2016-2107
Description: OpenSSL - Weak KDF

0day.today
Reference: CVE-2016-2107
Description: OpenSSL - Padding Oracle in AES-NI CBC MAC Check

github-exploits
Reference: CVE-2016-2107
Description: FiloSottile/CVE-2016-2107 exploit repository

Cause

PAM has TLS 1.0 and 1.1 enabled.

Resolution

Disable TLS 1.0 and 1.1 (PAM UI >> Configuration >> Security >> Access >> TLS v1.0/1.1 Connection Allowed), so we no longer use CBC ciphers and only use stronger GCM TLS 1.2 ciphers. To see the exact ciphers we are using in TLS 1.2, please view:

PAM UI >> Configuration >> Security >> Cryptography >> TLS 1.2 ciphers

Feedback

thumb_up Yes

thumb_down No