CVE-2016-0800 DROWN

What is DROWN?

DROWN is the marketing acronym for a medium-high security vulnerability that can affect the integrity of encrypted SSL traffic and provide private information to the attacker. The DROWN vulnerability occurs when a server is misconfigured to serve data over legacy SSLv2 connections.

 

Are KEMP LoadMasters affected?

No. KEMP LoadMasters have not supported SSLv2 since version 4.1-62 which was released in 2007.              

 

Is KEMP Geo affected?

No – as it’s part of the LoadMaster platform.

 

Is KEMP 360 affected?

No – our configuration has SSLv2 disabled by default.

 

Why were KEMP LoadMasters not affected?

KEMP follows industry trends, best practices, and security standards such as PCI-DSS to continually refine our security posture. It was an active decision in 2007 to remove support as SSLv2 was known to be an insecure and deprecated protocol.

 

Can a KEMP LoadMaster help protect insecure or legacy servers?

Yes. LoadMaster can front-end insecure services or legacy applications quickly and with

limited operational impact. If you are not currently using a KEMP LoadMaster – you download a fully featured trial at kemptechnologies.com or utilize our free load balancer at freeloadbalancer.com.

 

Please contact our support engineers if you have any questions on your LoadMaster configuration. You can open a support ticket here.

 

Is KEMP OpenSSL kept up to date?

As part of the KEMP security response process – every new version of OpenSSL and the corresponding patches are evaluated based on a variety of factors (risk mitigation, performance, functionality, etc). KEMP engineering in conjunction with the Security Alert team then decide on the best course of action (backport specific fixes or update OpenSSL in entirety) and release mechanism (create a new release, back port to current/previous release, wait for next release, etc). As every vulnerability has a different likelihood of occurrence and different risk impact – our process is flexible while still protecting our customers.

 

Can vulnerabilities scanners have false positives re: DROWN?

Yes, due to bug in OpenSSL – OpenSSL may still accept SSLv2 traffic even if SSLv2 cipher suites are disabled. Please see information on CVE-2015-3197 here for more information.

 

Does KEMP track upstream security vulnerabilities?

Yes. Our job as a vendor is for us to understand, manage, and accept residual risk – we have policies and procedures in place to proactively monitory and address security issues when those occur.

We are ultimately responsible for the risk profile of our product - our goal is to ship with no known vulnerabilities.  When vulnerabilities are found our our goal is to communicate honestly and clearly and get fixes out as soon as responsibly possible.

 

Are any KEMP websites or Internet services affected by DROWN?

No - we use KEMP LoadMasters.  However, we are currently working with some of our service providers to understand if they are affected by DROWN and will take appropriate response actions if so.

 

More Information

DROWN Web site

The Register

NVD

Was this article helpful?

0 out of 0 found this helpful

Comments

Powered by Zendesk