AIX OpenSSL Advisory : openssl_advisory16.asc (SLOTH)
Medium Nessus Plugin ID 88591
SynopsisThe remote AIX host has a version of OpenSSL installed that is affected by a collision-based forgery vulnerability.
DescriptionThe remote AIX host has a version of OpenSSL installed that is affected by a collision-based forgery vulnerability, known as SLOTH (Security Losses from Obsolete and Truncated Transcript Hashes), in the TLS protocol due to accepting RSA-MD5 signatures in the server signature within the TLS 1.2 ServerKeyExchange messages during a TLS handshake. A man-in-the-middle attacker can exploit this, via a transcript collision attack, to impersonate a TLS server.
SolutionA fix is available and can be downloaded from the IBM AIX website.