Cross-protocol attack on TLS using SSLv2 (DROWN) on Progress

Posted by Gordon Crenshaw on 08-Mar-2016 22:59

SECURITY VULNERABILITY NOTIFICATION

The US Computer Emergency Readiness Team has issued an alert on network traffic encrypted using an RSA-based SSL certificate, known as DROWN, (https://www.us-cert.gov/ncas/current-activity/2016/03/01/SSLv2-DROWN-Attack).  This alert documents a vulnerability in the RSA-based SSL certificate may be decrypted if enough SSLv2 handshake data can be collected, allowing a remote attacker to obtain the private key of a server supporting SSLv2.

Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800) is a server-side vulnerability and does not affect clients.

 

IMPACT ASSESSMENT

Progress DataDirect has review our products and determined that all of the on-premise ODBC drivers, OpenAccess SDK, SequeLink and DataDirect Cloud products are NOT affected by DROWN.

The on-premise ODBC drivers and DataDirect Cloud products operate as clients.  OpenAccess SDK and SequeLink has SSLv2 protocol disabled in all their SSL/TLS servers.  According to OpenSSL “users can avoid this issue by disabling the SSLv2 protocol in all their SSL/TLS servers, if they’ve not done so already.”

 

ADDITIONAL SECURITY ADVISORIES

Along with DROWN, the following security advisories were announced for March 1, 2016.  These vulnerabilities have little or no impact on the on-premise ODBC driver, OpenAccess SDK, SequeLink and DataDirect Cloud products.

 

Double-free in DSA code (CVE-2016-0705)

Impact: We may be impacted but the severity is low.

 

Memory leak in SRP database lookups (CVE-2016-0798)

Impact: None

 

BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)

Impact: We may be impacted but the severity is low.

 

Fix memory issues in BIO_*printf functions (CVE-2016-0799)

Impact: We may be impacted but the severity is low.

 

Side channel attack on modular exponentiation (CVE-2016-0702)

Impact: We may be impacted but the severity is low.

 

Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703)

Impact: None.  We currently support the fixed version of OpenSSL

 

Bleichenbacher oracle in SSLv2 (CVE-2016-0704)

Impact: None.  We currently support the fixed version of OpenSSL

All Replies

This thread is closed