How to Apply a Workaround for the OpenSSL CVE-2016-2107 Vulnerability

This article describes how to apply a quick workaround in order to not be vulnerable.

Solution

About OpenSSL CVE-2016-2107

You can test if your system is vulnerable using the online tool available at: https://filippo.io/CVE-2016-2107/

The information about the OpenSSL CVE-2016-2107 vulnerability is available at the link: https://www.openssl.org/news/secadv/20160503.txt

Also, a detailed presentation is available at: https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/ from which we quote the paragraph below:

"when the connection uses AES-CBC (for example because the server or the client don’t support TLS 1.2 yet) and the server’s processor supports AES-NI, a skilled MitM attacker can recover at least 16 bytes of anything it can get the client to send repeatedly just before attacker-controlled data (like HTTP Cookies, using JavaScript cross-origin requests)."

Our recommendation is to use exclusively TLS1.1 and TLS1.2 at least for the Webmail, IMAP and POP3 listeners.

How to disable AES-NI

The workaround disables the AES-NI support from the OpenSSL library used by Axigen by exporting to the environment the OPENSSL_ia32cap variable with the value indicated below:

export OPENSSL_ia32cap="~0x200000200000000"

This line need be added to the Axigen's init script, as below:

  • on RPM based Linux distributions add the line to the end of the file:
    /etc/sysconfig/axigen
  • on DEB based Linux distributions, add the line to the end of the file: /etc/default/axigen
  • on FreeBSD systems, add the line to the file: /usr/local/etc/rc.d/axigen.sh under the other global variables: #!/bin/sh
    # AXIGEN rcscript for BSD systems
    # Copyright (c) since 2005, Axigen Messaging

    # For any feedback, please contact:
    # "AXIGEN Team" <team@axigen.com>

    AXIGEN_BIN_DIR="/usr/local/axigen/bin"
    AXIGEN_DATA_DIR="/var/axigen"
    AXIGEN_ETC_DIR="/usr/local/axigen/etc"
    AXIGEN_DAEMON_BIN="${AXIGEN_BIN_DIR}/axigen"
    AXIGEN_PID_FILE="${AXIGEN_DATA_DIR}/run/axigen.pid"
    AXIGEN_DAEMON_OPT=""
    AXIGEN_SSL_CERT=${AXIGEN_DATA_DIR}/axigen_cert.pem
    AXIGEN_SSL_DH=${AXIGEN_DATA_DIR}/axigen_dh.pem

    export OPENSSL_ia32cap="~0x200000200000000"
  • on Solaris systems, add the line to the file: /etc/init.d/axigen under the other global variables: #!/bin/sh
    # AXIGEN rcscript for SunOS (Solaris) systems
    # Copyright (c) since 2005, Axigen Messaging
    # For any feedback, please contact:
    # "AXIGEN Team" <team@axigen.com>

    AXIGEN_BIN_DIR="/opt/axigen/bin"
    AXIGEN_DATA_DIR="/var/opt/axigen"
    AXIGEN_ETC_DIR="/etc/opt/axigen"
    AXIGEN_DAEMON_BIN="${AXIGEN_BIN_DIR}/axigen"
    AXIGEN_PID_FILE="${AXIGEN_DATA_DIR}/run/axigen.pid"
    AXIGEN_DAEMON_OPT=""
    AXIGEN_SSL_CERT=${AXIGEN_DATA_DIR}/axigen_cert.pem
    AXIGEN_SSL_DH=${AXIGEN_DATA_DIR}/axigen_dh.pem

    export OPENSSL_ia32cap="~0x200000200000000"
  • on Windows systems, set the system environment variable OPENSSL_ia32cap with the value: ~0x200000200000000 from the Environment Variables dialog (System variables) on the Advanced tab of the System Properties.

    You can check that the variable was set as below: C:temp>echo %OPENSSL_ia32cap%
    ~0x200000200000000
OS: LinuxWindowsFreeBSDSolaris