CVE-2016-0270
Summary
| CVE | CVE-2016-0270 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2017-02-08 16:59:00 UTC |
| Updated | 2017-11-15 02:29:00 UTC |
| Description | IBM Domino 9.0.1 Fix Pack 3 Interim Fix 2 through 9.0.1 Fix Pack 5 Interim Fix 1, when using TLS and AES GCM, uses random nonce generation, which makes it easier for remote attackers to obtain the authentication key and spoof data by leveraging the reuse of a nonce in a session and a "forbidden attack." NOTE: this CVE has been incorrectly used for GCM nonce reuse issues in other products; see CVE-2016-10213 for the A10 issue, CVE-2016-10212 for the Radware issue, and CVE-2017-5933 for the Citrix issue. |
Risk And Classification
Problem Types: CWE-200
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Ibm | Client Application Access | 1.0.0.1 | All | All | All |
| Application | Ibm | Client Application Access | 1.0.0.1 | All | All | All |
| Application | Ibm | Domino | 9.0.1.3 | All | All | All |
| Application | Ibm | Domino | 9.0.1.4 | All | All | All |
| Application | Ibm | Domino | 9.0.1.5 | All | All | All |
| Application | Ibm | Domino | 9.0.1.3 | All | All | All |
| Application | Ibm | Domino | 9.0.1.4 | All | All | All |
| Application | Ibm | Domino | 9.0.1.5 | All | All | All |
| Application | Ibm | Notes | 9.0.1.3 | All | All | All |
| Application | Ibm | Notes | 9.0.1.4 | All | All | All |
| Application | Ibm | Notes | 9.0.1.5 | All | All | All |
| Application | Ibm | Notes | 9.0.1.3 | All | All | All |
| Application | Ibm | Notes | 9.0.1.4 | All | All | All |
| Application | Ibm | Notes | 9.0.1.5 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| GitHub - nonce-disrespect/nonce-disrespect: Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS | MISC | github.com | Third Party Advisory |
| IBM Security Bulletin: Vulnerability in IBM Client Application Access TLS AES GCM Nonce Generation (CVE-2016-0270) - United States | CONFIRM | www-01.ibm.com | Mitigation, Patch, Vendor Advisory |
| Vulnerability in Citrix NetScaler Application Delivery Controller and NetScaler Gateway GCM nonce generation | CONFIRM | support.citrix.com | |
| Citrix NetScaler Nonce Generation Flaw Lets Remote Users Obtain Potentially Sensitive Information on the Target System - SecurityTracker | SECTRACK | www.securitytracker.com | |
| IBM Security Bulletin: Vulnerability in IBM Domino Web Server TLS AES GCM Nonce Generation - United States | CONFIRM | www-01.ibm.com | Mitigation, Patch, Vendor Advisory |
| IBM Security Bulletin: Vulnerability in IBM Notes TLS AES GCM Nonce Generation (CVE-2016-0270) - United States | CONFIRM | www-01.ibm.com | Mitigation, Patch, Vendor Advisory |
| IBM Domino CVE-2016-0270 Information Disclosure Vulnerability | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.