Follow

FREAK attack FAQ related to Syncplicity

Frequently Asked Questions

What is the issue?

Researchers have announced SSL/TLS vulnerability called the FREAK attack. It allows an attacker to intercept SSL/TLS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data. The vulnerability concerns SSL/TLS cipher suites that use export-grade RSA keys, which are intentionally weakened to comply with (now defunct) US export control laws.


For more details refer to:
https://freakattack.com/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204 (OpenSSL)
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1637 (Microsoft Schannel)


What components of Syncplicity are affected?

The issue may impact customers’ deployment of the Syncplicity Storage Connector and Syncplicity Panorama Connector. Servers with RSA export cipher suites enabled are vulnerable to the FREAK attack.  By default, Syncplicity Storage Connector and Syncplicity Panorama connector do not enable the RSA Export cipher suites; however, customers may have configured their servers with RSA Export cipher suites enabled.


Is Syncplicity’s cloud service vulnerable to this issue?
Syncplicty’s cloud service is not impacted by this vulnerability. Syncplicity servers (my.syncplicity.com, www.syncplicity.com, data.syncplicity.com, xml.syncplicity.com) do not support export-grade cipher suites.


What steps do customers need to take to address the vulnerability? 
There is no action needed by EMC Syncplicity Personal Edition, Business Edition, and Enterprise Edition cloud storage only customers to address this vulnerability.

Customers that have configured a Syncplicity On-Premise Storage Connector for SSL are advised as follows:

  1. Check your server configuration with a utility such as Qualys SSL Labs SSL Server Test tool to determine if your server supports TLS export cipher suites such as the following:
    TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
    TLS_RSA_EXPORT_WITH_RC4_40_MD5
    TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
    (note: not an exhaustive list of export ciphers)

  2. Ensure you are running Syncplicity Storage Connector version 2.3.0.4 or greater. Type the following command to determine which Storage Connector version is installed:

    yum info syncp-storage | grep Version

    The version number that appears should be 2.3.0.4 or greater.

  3. If you are not running Syncplicity Storage Connector version 2.3.0.4 or greater, upgrade the Storage Connector using the instructions documented here:
    https://syncplicity.zendesk.com/hc/en-us/articles/202659160-Upgrading-the-Storage-Connector

  4. Migrate from stunnel using the steps described in Chapter 2 “Configuring SSL” of the Storage Connector SSL Configuration Guide linked here:
    https://my.syncplicity.com/share/dd0vash0ashw4gw/Syncplicity On-Premise Storage Connector SSL Configuration Guide
    The vulnerable export ciphers are disabled by default and should not be enabled.

 

Syncplicity Panorama Connector customers are advised as follows:

Syncplicity Panorama customers should review the Microsoft Security Bulletin,
https://technet.microsoft.com/library/security/MS15-031 to determine the applicability of this information to their individual situations and take appropriate action.


EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Powered by Zendesk