Originally written by Johan Norrman, CIO at Detectify for sysarmy.
March could have started better for the OpenSSL team. During the last week, the OpenSSL development team published two high impacts CVEs, CVE-2016-0800 and CVE-2016-0703.
In this blog post, we explain how the CVEs can compromise your security and what steps you can take to stay safe.
You might already have heard about CVE-2016-0800 by its nickname “DROWN”. According to drownattack.com a server is vulnerable to DROWN if it allows SSLv2 connections or if its private key is used on any other server that allows SSLv2 (see CVE-2016-0703 below).
What can happen: By gaining access on a DROWN vulnerable server the attacker can gain information such as username, passwords, credit card numbers or any other sensitive information sent via the server.
So what should I do:
- Make sure that you upgrade OpenSSL to the recommended version.
- if you are using 1.0.1 upgrade to 1.0.1s
- if you are using 1.0.2 upgrade to 1.0.2g
- Disable SSLv2 – how this is done varies depending on which software you are using.
If you are uncertain if you are vulnerable or not, you can use services such as Detectify, that will provide you with a warning if you still are running SSLv2 when you run a scan (see photo below).
Learn more about DROWN:
If you want to read more about OpenSSL and DROWN we recommend you to dig into this blog post from the OpenSSL team.
The second issue, CVE-2016-0703, only affects versions of OpenSSL prior to March 19th, 2015 and is fixed in OpenSSL 0.9.8zf, 1.0.0r, 1.0.1m and 1.0.2a.
What can happen: It allows a remote attacker to commit an efficient divide-and-conquer key recovery attack. So by eavesdropping on the SSLv2 handshake the attacker can determine the SSLv2 private-key, all and all leading up to a way more efficient version of DROWN.
So what should I do:
- Make sure that you upgrade to OpenSSL 0.9.8zf, 1.0.0r, 1.0.1m and 1.0.2a, depending on what version you are on now.
- Read the security information from your software provider to determine if you need to do anything extra to stay secure.
Comments from Detectify:
“Keeping your infrastructure up to date becomes easier as more and more companies are moving into a DevOps culture. The ones responsible for patching and keeping your production environment up to date are now a part of your development team and no longer just responsible for making sure that the servers are running. However, patching your production servers will always be challenge and keeping them patch should always be a top priority” says Detectify’s CIO Johan Norrman.