Advisory: DROWN Vulnerability (CVE-2016-0800)
Publication Date: 7 March 2016
Updated: 15 March 2016
A vulnerability that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. The Traffic between clients and non-vulnerable servers can be decrypted if another server supporting SSLv2 and EXPORT ciphers shares the RSA keys of the non-vulnerable server. This is even with a different protocol such as SMTP, IMAP or POP.
Websites or computer servers using the HTTPS protocol could be exposed to eavesdroppers.
DROWN Vulnerability is classified as ‘CVE-2016-0800’ by CERT.
Affected gateway products are:
- IG 3100 model 3100, model 3101
- IG 4
- InnGate 3.00 E-Series, 3.01 E-Series, 3.02 E-Series, 3.10 E-Series
- InnGate 3.01 G-Series, 3.10 G-Series
- SSG 4
- SG 4
Contact Support as soon as possible to get help in deploying mitigation against DROWN:
ANTlabs Support Contact Details
24 x 7 Phone Support
Phone: +65 6100-SUPP (+65 6100-7877)
For US Customer: +1-858-217-5147
Email Support: email@example.com
We currently have the available patch(es):
IG 4 Security Patch #4
InnGate Security Patch #63
IG 3100 Security Patch #13
SG 4 Security Patch #5
SSG 4 Security Patch #9
These patches update the web service module to address the SSLv2 vulnerability. These are critical security updates that should be applied as soon as possible and they will automatically reboot the gateway upon patching.
ANTlabs Engineering team is currently working on hotfixes for other ANTlabs products and will be posting subsequent updates on this advisory.