Blog

DROWN Vulnerability with Remediation


(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800)

Network traffic encrypted using an RSA-based SSL certificate may be decrypted if enough SSLv2 handshake data can be collected. Exploitation of this vulnerability—referred to as DROWN in public reporting—may allow a remote attacker to obtain the private key of a server supporting SSLv2.

Symas encourages users and administrators to review Vulnerability Note VU#583776 and read OpenSSL’s advisory for additional information.

Remediation: Symas OpenLDAP can be protected against DROWN by doing the following:

  1. Ensure you are running Symas OpenLDAP release 2.4.40-1 or later. If you need to upgrade, the latest release, 2.4.43-1, can be downloaded at https://symas.com/downloads

  2. Set TLSProtocolMin to completely disable all protocols below 3.1. To do this, add the following to the global section of your slapd.conf file (slapd restart required): TLSProtocolMin 3.1 Or, if you use cn=config, add: olcTLSProtocolMin: 3.1

For questions or concerns, please contact Symas Support.