CVE-2016-0800 OpenSSL DROWN Attack Post Mortem

On Tuesday, March 1, 2016, an OpenSSL Security Advisory was published with several vulnerabilities categorized as HIGH [1].

One of these is "Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)", which can lead to an attacker decrypting traffic between non-vulnerable servers and clients through an attack on vulnerable servers.

Once we became aware of the vulnerability we upgraded openssl on all our servers and verified all of our active services for protection against this attack.

During the last several weeks we had been testing an SSTP service with SoftEther VPN Server, unfortunately, the default configuration was not updated to force TLS on these servers.

The IPs for these test servers were published on the DROWN test website [2] listing them as vulnerable (this has since been updated to say "appears fixed").

The services on the vulnerable test servers were stopped to prevent any possibility of an attack.
We do not have any logs but we were able to analyze server utilization charts and they do not show the level of network activity typical of someone exploiting DROWN.

As a precaution we are now using a new Wildcard SSL certificate / private key pair with all of our services.

It is also important to note that customers and other visitors to our website [3] were not exposed to the attack since our website is secured with a Wildcard SSL certificate issued by "Verizon Enterprise Solutions" which is different from the ", Inc." Wildcard SSL certificate we use with our services.

Sign In or Register to comment.