Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32

Eric_Langley · January 17, 2017, 8:37am

Hello All,

I have Peplink Balance 20 that is failing PCI compliance due to “Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32”.

How can this be disabled?

From the PCI scan:

This is a cipher vulnerability, not limited to any specific SSL/TLS software implementation. DES and Tripple DES (3DES) block ciphers with a block size of 64 bits, have a birthday bound of approximately 4 billion blocks (or 2 to the power of 32, hence the name of this vulnerability). A man-in-the-middle (MitM) attacker, who is able to capture a large amount of encrypted network traffic, can recover sensitive plain text data.

This issue can by avoided by disabling block ciphers of 64 bit length (like DES/3DES) in all the SSL/TLS servers. Exact procedure depends on the actual implementation. Please refer to the documentation of your SSL/TLS server software and actual service software (http server, mail server, etc).

Jeffrey.R · January 27, 2017, 11:44am

Hi Eric,

Thank you for your patience with our reply on this. We had identified the issue on December 1 of 2016 and our firmware is currently being improved to address this. The fix is anticipated to be in place with the next firmware release and there has not yet been a target date set for that release. Please stay tuned for additional information as it becomes available.

Thank you Eric.

Chad · March 8, 2017, 10:10am

Any update for this fix? I have several locations failing PCI scans due to this vulnerability.

Thank you.

TK_Liew · March 9, 2017, 12:29am

The fixed will be available on v7.0.1. We target to release in Q2 of 2017. Stay tuned.

TwistedResistor · July 27, 2017, 1:26pm

Was this issue resolved with v7.0.1? I do not see anything in the release notes stating that this was fixed.

TK_Liew · July 27, 2017, 8:55pm

Yes, this is resolved in v7.0.1. We will update the Release Note accordingly.

Thank you.

DKonkin · August 27, 2019, 5:32am

Hi - We have also received a pentest report citing this vulnerability from a customer with many sites using HW that doesn’t support firmware 7. It would be great if we could limit inbound sessions to trusted subnets for speedfusion/pepvpn.

What do we do?

Thanks
Dana

TK_Liew · August 28, 2019, 8:52pm

@DKonkin, new hardware platform with latest firmware version is recommended since all the fixes are available there. For the old hardware platform, we do have the fix for this. Please share the model.

DKonkin · January 28, 2020, 3:52am

Hi again, my apology for not responding sooner. We are looking at migrating to 8.0.2 for as many sites as possible. Does 8.0.2 resolve this issue by default, or does it require specific configuration to resolve?

Thank you,
Dana

TK_Liew · January 29, 2020, 1:53am

@DKonkin, it resolved by default.

hcg · May 11, 2020, 8:25am

Hello,
This article is about DES and 3DES use. Now that all FW 8 speedfusion use TLS1.2 what encrytion standards are used for FW 8 speedfusion and can any be disabled?

See also Add TLS 1.3 support - #7 by hcg

Thank you.
HCG