Return
-
Title
Kace Response to Sweet32 Vulnerability (CVE-2016-2183) -
Description
The KACE Systems Management Appliance is a comprehensive systems management solution that streamlines asset management, secures all network connected devices, and more efficiently services end user systems – giving resource constrained IT organizations more time to innovate.Sweet32 is an attack that takes advantage of design weaknesses in some ciphers. The vulnerable ciphers (Triple-DES and Blowfish) are used in common Internet protocols. Researchers found that 1–2% of all HTTPS web servers use Triple-DES, and even less (0.6%) are configured such that they are vulnerable to this attack. The attacker needs to keep the victim on the page hosting the malicious JavaScript for one to two days, in order to generate enough ciphertext blocks to find a collision. -
Resolution
On the 7.0 version of the KACE Systems Management Appliance, the only long standing connection between clients and the KACE server is our proprietary KONEA to KONEAS connection which does not contain customer information. All other SSL connections are short in nature making the appliance unsusceptible to this vulnerability. As such, KACE has deemed this a low severity with a very low impact.
OpenSSL will be updated in an upcoming release to remediate this vulnerability.
-
Defect ID
ESMP-5050