Important Information Regarding Sweet32 Vulnerability (CVE-2016-2183)
Publish Time: 2016-11-02 00:00:00 UTC+8
Last Updated: 2016-11-02 12:00:00 UTC+8
- Severity
- Moderate
- Status
- Resolved
Description
The DES/3DES ciphers, widely used in TLS, SSH, IPSec and other protocols, have become more vulnerable due to the rapid growth of technology today.
Since this vulnerability is not caused by a flaw in the design but the encryption algorithm being not strong enough to handle the current technology, the only way to mitigate the issue is to disable these ciphers in related modules.
Severity
Medium
Mitigation
DSM 6.0
- Control Panel > Security > Advanced > TLS / SSL Cipher Suites > Modern compatibility
DSM 5.2
- Login via SSH
- # /bin/sed -i 's,SSLCipherSuite .*,SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256,' /etc/httpd/conf/extra/httpd-ssl.conf-cipher
- # /sbin/restart httpd-sys
- # /sbin/restart httpd-user
OpenVPN server
- Login via SSH
- # /bin/echo """"cipher AES-256-CBC"""" >> /usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf
- # /bin/echo """"cipher AES-256-CBC"""" >> /var/packages/VPNCenter/target/etc/openvpn/keys/openvpn.ovpn
- # /var/packages/VPNCenter/target/scripts/openvpn.sh restart
- After configuring OpenVPN server, you should export the configuration settings (.ovpn) and re-configure the client.
MailPlus
- Execute the following scripts under SSH mode
-
Download the two scripts from here:
- CVE-2016-2183_Mitigation_MailPlus-Server.sh
SHA-256:CB43DA2CF1B11C87AA662809BA40E94D350027C3C25676FFEB4F0E86A7B15FF7 - CVE-2016-2183_Mitigation_MailServer.sh
SHA-256:A43BAE132C9338B4EACC9C4C9A8646A06E136197AB1191FE10F85E09CA932802
- CVE-2016-2183_Mitigation_MailPlus-Server.sh
- The above settings should be re-applied whenever the re-installation or upgrade is done.