Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32


#1

Hello All,

I have Peplink Balance 20 that is failing PCI compliance due to “Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32”.

How can this be disabled?

From the PCI scan:

This is a cipher vulnerability, not limited to any specific SSL/TLS software implementation. DES and Tripple DES (3DES) block ciphers with a block size of 64 bits, have a birthday bound of approximately 4 billion blocks (or 2 to the power of 32, hence the name of this vulnerability). A man-in-the-middle (MitM) attacker, who is able to capture a large amount of encrypted network traffic, can recover sensitive plain text data.

This issue can by avoided by disabling block ciphers of 64 bit length (like DES/3DES) in all the SSL/TLS servers. Exact procedure depends on the actual implementation. Please refer to the documentation of your SSL/TLS server software and actual service software (http server, mail server, etc).


#2

Hi Eric,

Thank you for your patience with our reply on this. We had identified the issue on December 1 of 2016 and our firmware is currently being improved to address this. The fix is anticipated to be in place with the next firmware release and there has not yet been a target date set for that release. Please stay tuned for additional information as it becomes available.

Thank you Eric.


#3

Any update for this fix? I have several locations failing PCI scans due to this vulnerability.

Thank you.


#4

The fixed will be available on v7.0.1. We target to release in Q2 of 2017. Stay tuned.


#5

Was this issue resolved with v7.0.1? I do not see anything in the release notes stating that this was fixed.


#6

Yes, this is resolved in v7.0.1. We will update the Release Note accordingly.

Thank you.