9283 8B4A 87FE DC6E C327 EF05 70A8 B78D 1623 3FB5

We would like to bring to your attention the latest SSL/TLS vulnerability known as the DROWN (Decrypting RSA using Obsolete and Weakened eNcryption) attack1. Although there is much hype around such vulnerabilities it is rated as important and seems serious enough for us to send out this alert particularly as the tester identifies weak SSL configurations / vulnerable library versions which may be subject to other vulnerabilities.

For more information

Recommendation

Test your site(s) here and mitigate if vulnerable:

Generally mitigation involves disabling support for SSLv2 and possibly updating SSL libraries (e.g. OpenSSL). Shared keys/certificates with a vulnerable server also presents risk. For more specific directions please consult your specific OS reference (e.g.2).

Further reading

References

1CVE-2016-0800: Vulnerability Summary

2Red Hat: DROWN – Cross-protocol attack on TLS using SSLv2