Vulnerability Description
IBM Domino 9.0.1 Fix Pack 3 Interim Fix 2 through 9.0.1 Fix Pack 5 Interim Fix 1, when using TLS and AES GCM, uses random nonce generation, which makes it easier for remote attackers to obtain the authentication key and spoof data by leveraging the reuse of a nonce in a session and a "forbidden attack." NOTE: this CVE has been incorrectly used for GCM nonce reuse issues in other products; see CVE-2016-10213 for the A10 issue, CVE-2016-10212 for the Radware issue, and CVE-2017-5933 for the Citrix issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ibm | Client Application Access | 1.0.0.1 |
| Ibm | Domino | 9.0.1.3 |
| Ibm | Notes | 9.0.1.3 |
Related Weaknesses (CWE)
References
- http://www-01.ibm.com/support/docview.wss?uid=swg21979604MitigationPatchVendor Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21979669MitigationPatchVendor Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21979673MitigationPatchVendor Advisory
- http://www.securityfocus.com/bid/96062Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1037795
- https://github.com/nonce-disrespect/nonce-disrespectThird Party Advisory
- https://support.citrix.com/article/CTX220329
- http://www-01.ibm.com/support/docview.wss?uid=swg21979604MitigationPatchVendor Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21979669MitigationPatchVendor Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21979673MitigationPatchVendor Advisory
- http://www.securityfocus.com/bid/96062Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1037795
- https://github.com/nonce-disrespect/nonce-disrespectThird Party Advisory
- https://support.citrix.com/article/CTX220329
FAQ
What is CVE-2016-0270?
CVE-2016-0270 is a vulnerability with a CVSS score of 5.9 (MEDIUM). IBM Domino 9.0.1 Fix Pack 3 Interim Fix 2 through 9.0.1 Fix Pack 5 Interim Fix 1, when using TLS and AES GCM, uses random nonce generation, which makes it easier for remote attackers to obtain the aut...
How severe is CVE-2016-0270?
CVE-2016-0270 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-0270?
Check the references section above for vendor advisories and patch information. Affected products include: Ibm Client Application Access, Ibm Domino, Ibm Notes.