CVE-2016-0270

Published on: 02/08/2017 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:12 PM UTC

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Certain versions of Client Application Access from Ibm contain the following vulnerability:

IBM Domino 9.0.1 Fix Pack 3 Interim Fix 2 through 9.0.1 Fix Pack 5 Interim Fix 1, when using TLS and AES GCM, uses random nonce generation, which makes it easier for remote attackers to obtain the authentication key and spoof data by leveraging the reuse of a nonce in a session and a "forbidden attack." NOTE: this CVE has been incorrectly used for GCM nonce reuse issues in other products; see CVE-2016-10213 for the A10 issue, CVE-2016-10212 for the Radware issue, and CVE-2017-5933 for the Citrix issue.

  • CVE-2016-0270 has been assigned by [email protected] to track the vulnerability - currently rated as MEDIUM severity.

CVSS3 Score: 5.9 - MEDIUM

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK HIGH NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH NONE NONE

CVSS2 Score: 4.3 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK MEDIUM NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL NONE NONE

CVE References

Description Tags Link
GitHub - nonce-disrespect/nonce-disrespect: Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Third Party Advisory
github.com
text/html
URL Logo MISC github.com/nonce-disrespect/nonce-disrespect
IBM Security Bulletin: Vulnerability in IBM Client Application Access TLS AES GCM Nonce Generation (CVE-2016-0270) - United States Mitigation
Patch
Vendor Advisory
web.archive.org
text/html
Inactive LinkNot Archived
URL Logo CONFIRM www-01.ibm.com/support/docview.wss?uid=swg21979673
Vulnerability in Citrix NetScaler Application Delivery Controller and NetScaler Gateway GCM nonce generation support.citrix.com
text/html
URL Logo CONFIRM support.citrix.com/article/CTX220329
Citrix NetScaler Nonce Generation Flaw Lets Remote Users Obtain Potentially Sensitive Information on the Target System - SecurityTracker www.securitytracker.com
text/html
URL Logo SECTRACK 1037795
IBM Security Bulletin: Vulnerability in IBM Domino Web Server TLS AES GCM Nonce Generation - United States Mitigation
Patch
Vendor Advisory
web.archive.org
text/html
Inactive LinkNot Archived
URL Logo CONFIRM www-01.ibm.com/support/docview.wss?uid=swg21979604
IBM Security Bulletin: Vulnerability in IBM Notes TLS AES GCM Nonce Generation (CVE-2016-0270) - United States Mitigation
Patch
Vendor Advisory
web.archive.org
text/html
Inactive LinkNot Archived
URL Logo CONFIRM www-01.ibm.com/support/docview.wss?uid=swg21979669
IBM Domino CVE-2016-0270 Information Disclosure Vulnerability Third Party Advisory
VDB Entry
cve.report (archive)
text/html
URL Logo BID 96062

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationIbmClient Application Access1.0.0.1AllAllAll
ApplicationIbmClient Application Access1.0.0.1AllAllAll
ApplicationIbmDomino9.0.1.3AllAllAll
ApplicationIbmDomino9.0.1.4AllAllAll
ApplicationIbmDomino9.0.1.5AllAllAll
ApplicationIbmDomino9.0.1.3AllAllAll
ApplicationIbmDomino9.0.1.4AllAllAll
ApplicationIbmDomino9.0.1.5AllAllAll
ApplicationIbmNotes9.0.1.3AllAllAll
ApplicationIbmNotes9.0.1.4AllAllAll
ApplicationIbmNotes9.0.1.5AllAllAll
ApplicationIbmNotes9.0.1.3AllAllAll
ApplicationIbmNotes9.0.1.4AllAllAll
ApplicationIbmNotes9.0.1.5AllAllAll
  • cpe:2.3:a:ibm:client_application_access:1.0.0.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:ibm:client_application_access:1.0.0.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:ibm:domino:9.0.1.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:ibm:domino:9.0.1.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:ibm:domino:9.0.1.5:*:*:*:*:*:*:*:
  • cpe:2.3:a:ibm:domino:9.0.1.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:ibm:domino:9.0.1.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:ibm:domino:9.0.1.5:*:*:*:*:*:*:*:
  • cpe:2.3:a:ibm:notes:9.0.1.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:ibm:notes:9.0.1.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:ibm:notes:9.0.1.5:*:*:*:*:*:*:*:
  • cpe:2.3:a:ibm:notes:9.0.1.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:ibm:notes:9.0.1.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:ibm:notes:9.0.1.5:*:*:*:*:*:*:*: