Important Information Regarding Sweet32 Vulnerability (CVE-2016-2183)

Publish Time: 2016-11-02 00:00:00 UTC+8

Last Updated: 2016-11-02 12:00:00 UTC+8

Description

The DES/3DES ciphers, widely used in TLS, SSH, IPSec and other protocols, have become more vulnerable due to the rapid growth of technology today.

Since this vulnerability is not caused by a flaw in the design but the encryption algorithm being not strong enough to handle the current technology, the only way to mitigate the issue is to disable these ciphers in related modules.

Severity

Medium

Mitigation

DSM 6.0

Control Panel > Security > Advanced > TLS / SSL Cipher Suites > Modern compatibility

DSM 5.2

Login via SSH

# /bin/sed -i 's,SSLCipherSuite .*,SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256,' /etc/httpd/conf/extra/httpd-ssl.conf-cipher

# /sbin/restart httpd-sys

# /sbin/restart httpd-user

OpenVPN server

Login via SSH

# /bin/echo """"cipher AES-256-CBC"""" >> /usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf

# /bin/echo """"cipher AES-256-CBC"""" >> /var/packages/VPNCenter/target/etc/openvpn/keys/openvpn.ovpn

# /var/packages/VPNCenter/target/scripts/openvpn.sh restart

After configuring OpenVPN server, you should export the configuration settings (.ovpn) and re-configure the client.

MailPlus

Execute the following scripts under SSH mode

Download the two scripts from here:

CVE-2016-2183_Mitigation_MailPlus-Server.sh
SHA-256:CB43DA2CF1B11C87AA662809BA40E94D350027C3C25676FFEB4F0E86A7B15FF7

CVE-2016-2183_Mitigation_MailServer.sh
SHA-256:A43BAE132C9338B4EACC9C4C9A8646A06E136197AB1191FE10F85E09CA932802

The above settings should be re-applied whenever the re-installation or upgrade is done.