edit-icon download-icon

[Vulnerability notice] CVE-2016-2107: Man-in-the-middle hijacking vulnerability in AES-NI CBC in OpenSSL

Last Updated: Nov 17, 2017

Description

Security experts discovered a new type of man-in-the-middle attack with the vulnerability number CVE-2016-2107.

When a client uses AES_128 (256) _CBC-related encryption suites to communicate with the server that supports AES-NI, attackers may intercept the communication data between the client and the server, and decrypt the text by padding data blocks to start a man-in-the-middle hijack.

Fix

Note: Create a snapshot for the server before fixing the vulnerability to avoid loss from fix failure.

  1. Identify the service that calls Port 443, and then update the OpenSSL (not necessarily the OpenSSL that comes with the system) that the program depends on.

    • We recommend that you update your OpenSSL to the latest version.
    • OpenSSL 1.0.2 must be upgraded to 1.0.2h or later.
    • OpenSSL 1.0.1 must be upgraded to 1.0.1t or later.
    • OpenSSL 1.0.0 or earlier must be upgraded to 1.0.1t or later.
  2. After the update, restart the service that calls Port 443.

Thank you! We've received your feedback.