Tosibox Security Advisory TBSA-016-301
Published: 2016-08-26 12:00 EEST
Updated: 2016-08-29 21:00 EEST
Tosibox releases this security advisory to provide information about a vulnerability issue with 64-bit block ciphers within the SSL/TLS and VPN protocols that under certain configurations could permit a collision attack.
With TOSIBOX® products, the detected vulnerability (“Sweet32”) could allow an attack on long lived VPN connections using the Blowfish cipher if the potential attacker were able to capture large amounts of the encrypted traffic; and the user’s application traffic over the VPN connection is such that fixed secret is sent repeatedly over the VPN connection; and some segment of the transferred plain text is known.
Note that only when the above conditions are fulfilled, an attacker could extract parts of the plain text sent over the VPN tunnel without knowing or breaking the encryption keys.
This advisory provides guidance on what administrators can do to help ensure that their systems are not subject to the vulnerability.
The following TOSIBOX® products are known to be affected by this vulnerability:
The VPN connection between Key and Lock 100 / Lock 200 / Central Lock is vulnerable to the attack if the Blowfish cipher is used and Lock software version is earlier than 3.1.4.
TOSIBOX® Lock 100 / Lock 200 / Central Lock
The VPN connections between two Locks and Lock and a Central Lock are vulnerable to the attack if the Blowfish cipher is used and and Lock software version is earlier than 3.1.4.
TOSIBOX® Mobile Client for Android
The VPN connection between the Android Mobile Client and Lock 100 / Lock 200 / Central Lock is vulnerable to the attack if the Blowfish cipher is used and Lock software version is earlier than 3.1.4.
Administrators are advised to configure VPN connections to use AES ciphers instead of Blowfish. In TOSIBOX® products, the VPN cipher is a configurable setting and the configuration of the Lock/Central Lock determines the used cipher for the VPN connection.
The current default cipher is accessible and can be changed in the Lock’s and Central Lock’s web user interface under Settings > Advanced settings (or Industry settings) > VPN cipher.
Tosibox has addressed the issue in software version 3.1.4 for Lock 100 and Lock 200 so that the VPN data channel key is renegotiated much more frequently, which will mitigate the possibility of the attack. If automatic software updates have been disabled, the users are advised to install the software update(s) as soon as they become available.
Also, the default VPN cipher for new Lock 100 units has been changed to AES-128-CBC in software version 3.1.4. For Lock 200 and Central Lock, AES has already been the default cipher.
Feedback and support
You can request further information and support and provide us feedback by contacting:
Finland / Global
DACH area (Germany, Austria, Switzerland)
US and Canada
The information provided in this advisory is provided “as is”, without any kind of warranty whatsoever. Using or acting on the information on this document is at the user’s own risk.