Connectrix B-Series: Security Vulnerability CVE-2016-2183
Summary: Vulnerability CVE-2016-2183
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
Connectrix B-Series firmware (FOS) is vulnerable to CVE-2016-2183.
Refer to below link for complete information on details of CVE:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2183
Cause
CVE-2016-2183 Description:
The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote
attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.
The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote
attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.
Resolution
Statement from Brocade:
CVE-2016-2183 vulnerability is fixed in FOS 8.2.0 and Connectrix Manager Converged Network Edition (CMCNE) 14.3.1
According to Broadcom, even the target path 7.4.x (7.4.2d/e/f) has the fix for this defect but there could be a scenario where, in this vulnerability, the issue could be seen on DS-300B switches running on 7.4.2d. DS-300B models cannot be upgraded to FOS 8.2.0.
In such cases, it is recommended to remove the DES/3DES cipher using the following steps:
Verify if DES/3DES is in use by running the command: #seccryptocfg --show
Notice in SSH cipher list, that 3des-cbc is in use which is a weak cipher and has to be removed.
Remove the weak cipher by running command #seccryptocfg --replace -type SSH -cipher aes128-cbc,aes192-cbc,aes256-cbc
CVE-2016-2183 vulnerability is fixed in FOS 8.2.0 and Connectrix Manager Converged Network Edition (CMCNE) 14.3.1
According to Broadcom, even the target path 7.4.x (7.4.2d/e/f) has the fix for this defect but there could be a scenario where, in this vulnerability, the issue could be seen on DS-300B switches running on 7.4.2d. DS-300B models cannot be upgraded to FOS 8.2.0.
In such cases, it is recommended to remove the DES/3DES cipher using the following steps:
Verify if DES/3DES is in use by running the command: #seccryptocfg --show
Below is the sample output of command #seccryptocfg --show:
>>admin> seccryptocfg --show
HTTPS Cipher List : !ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM
SSH Cipher List : aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
SSH Kex Algorithms List : ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
SSH MACs List : hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha2-512
HTTPS Cipher List : !ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM
SSH Cipher List : aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
SSH Kex Algorithms List : ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
SSH MACs List : hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha2-512
Notice in SSH cipher list, that 3des-cbc is in use which is a weak cipher and has to be removed.
Remove the weak cipher by running command #seccryptocfg --replace -type SSH -cipher aes128-cbc,aes192-cbc,aes256-cbc
Additional Information
Brocade advises, in order to absolutely avoid any potential risk, the user may need to avoid using DES/3DES ciphers.
Affected Products
Connectrix Manager Converged Network EditionArticle Properties
Article Number: 000068463
Article Type: Solution
Last Modified: 01 Aug 2025
Version: 3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.