Important Information Regarding Sweet32 Vulnerability (CVE-2016-2183)

2016-11-02 12:00:00

Severity
Moderate
Status
Resolved

Description

The DES/3DES ciphers, widely used in TLS, SSH, IPSec and other protocols, have become more vulnerable due to the rapid growth of technology today.

Since this vulnerability is not caused by a flaw in the design but the encryption algorithm being not strong enough to handle the current technology, the only way to mitigate the issue is to disable these ciphers in related modules.

Severity

Medium

Mitigation

DSM 6.0

  • Control Panel > Security > Advanced > TLS / SSL Cipher Suites > Modern compatibility

DSM 5.2

  • Login via SSH
    1. # /bin/sed -i 's,SSLCipherSuite .*,SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256,' /etc/httpd/conf/extra/httpd-ssl.conf-cipher
    2. # /sbin/restart httpd-sys
    3. # /sbin/restart httpd-user

OpenVPN server

  • Login via SSH
    1. # /bin/echo """"cipher AES-256-CBC"""" >> /usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf
    2. # /bin/echo """"cipher AES-256-CBC"""" >> /var/packages/VPNCenter/target/etc/openvpn/keys/openvpn.ovpn
    3. # /var/packages/VPNCenter/target/scripts/openvpn.sh restart
    4. After configuring OpenVPN server, you should export the configuration settings (.ovpn) and re-configure the client.

MailPlus

  • Execute the following scripts under SSH mode
  1. Download the two scripts from here:
  2. The above settings should be re-applied whenever the re-installation or upgrade is done.