Fix for CVE-2016-2183 in FIPS mode

silug · silug · commit bae90be4298f · 2026-01-07T11:56:36.000-06:00
Fixes #334
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,6 @@
+* Wed Jan 07 2026 Steven Pritchard <steve@sicura.us> - 5.0.1
+- Fix for CVE-2016-2183 in FIPS mode (#334)
+
 * Tue Nov 25 2025 Steven Pritchard <steve@sicura.us> - 5.0.0
 - Make the various `assert` functions non-fatal by default
 
diff --git a/lib/facter/fips_ciphers.rb b/lib/facter/fips_ciphers.rb
@@ -1,10 +1,17 @@
 # List available FIPS-compatible OpenSSL ciphers on the system
+# Excludes weak ciphers vulnerable to CVE-2016-2183 (SWEET32)
 # Returns: Array[String]
 Facter.add('fips_ciphers') do
   confine kernel: 'Linux'
   openssl_bin = Facter::Core::Execution.which('openssl')
 
   setcode do
-    Facter::Core::Execution.exec("#{openssl_bin} ciphers FIPS:-LOW").split(':') if openssl_bin
+    # Exclude 3DES and other weak ciphers:
+    # - 3DES (vulnerable to SWEET32/CVE-2016-2183)
+    # - LOW (weak encryption)
+    # - NULL (no encryption)
+    # - EXPORT (weak export-grade)
+    # - anon (anonymous, no authentication)
+    Facter::Core::Execution.exec("#{openssl_bin} ciphers 'FIPS:-3DES:-LOW:-NULL:-EXPORT:-aNULL'").split(':') if openssl_bin
   end
 end
diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "simp-simplib",
-  "version": "5.0.0",
+  "version": "5.0.1",
   "author": "SIMP Team",
   "summary": "A collection of common SIMP functions, facts, and types",
   "license": "Apache-2.0",
diff --git a/spec/unit/facter/fips_ciphers_spec.rb b/spec/unit/facter/fips_ciphers_spec.rb
@@ -9,7 +9,7 @@
   context 'openssl command exists' do
     it 'returns FIPS ciphers' do
       expect(Facter::Core::Execution).to receive(:which).with('openssl').and_return('/bin/openssl')
-      expect(Facter::Core::Execution).to receive(:exec).with('/bin/openssl ciphers FIPS:-LOW')
+      expect(Facter::Core::Execution).to receive(:exec).with("/bin/openssl ciphers 'FIPS:-3DES:-LOW:-NULL:-EXPORT:-aNULL'")
                                                        .and_return('ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA')
       expect(Facter.fact('fips_ciphers').value).to eq(['ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-ECDSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES256-SHA384', 'ECDHE-ECDSA-AES256-SHA384', 'ECDHE-RSA-AES256-SHA'])
     end

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "simp-simplib",`
`3`		`- "version": "5.0.0",`
	`3`	`+ "version": "5.0.1",`
`4`	`4`	`"author": "SIMP Team",`
`5`	`5`	`"summary": "A collection of common SIMP functions, facts, and types",`
`6`	`6`	`"license": "Apache-2.0",`