The security world is abuzz right now due to a new vulnerability found in the SSL/TLS protocol suite called DROWN (Decrypting RSA with Obsolete and Weakened eNcryption CVE-2016-0800). This vulnerability is one of many protocol attacks we have seen in the last 2 years highlighting weakness in the SSL/TLS family of encryption protocol. Our goal for this blog post is to highlight our security posture around DROWN specifically and to give some insight on how we address security events when they occur.
As always we welcome any customers to contact us with questions or concerns and encourage everyone with legacy workloads to mitigate that risk with our Loadmaster family of products.
What is DROWN?
DROWN is the marketing acronym for a medium-high security vulnerability that can affect the integrity of encrypted SSL traffic and provide private information to the attacker. The DROWN vulnerability occurs when a server is misconfigured to serve data over legacy SSLv2 connections.
Are KEMP Loadmasters affected?
No. KEMP Loadmasters have not supported SSLv2 since version 4.1-62 which was released in 2007.
Is KEMP Geo affected?
No – as it’s part of the loadmaster platform.
Is KEMP 360 affected?
No – our configuration has SSLv2 disabled by default.
Why were KEMP Loadmasters not affected?
KEMP follows industry trends, best practices, and security standards such as PCI-DSS to continually refine our security posture. It was an active decision in 2007 to remove support as SSLv2 was known to be an insecure and deprecated protocol.
Can a KEMP Loadmaster help protect insecure or legacy servers?
Yes. Loadmaster can front-end insecure services or legacy applications quickly and with limited operational impact. If you are not currently using a KEMP Loadmaster – you download a fully featured trial at kemptechnologies.com or utilize our free load balancer at freeloadbalancer.com.
Please contact our support engineers if you have any questions on loadmaster configuration.
Is KEMP OpenSSL kept up to date?
As part of the KEMP security response process – every new version of OpenSSL and the corresponding patches are evaluated based on a variety of factors (risk mitigation, performance, functionality, etc). KEMP engineering in conjunction with the Security Alert team then decide on the best course of action (backport specific fixes or update OpenSSL in entirety) and release mechanism (create a new release, back port to current/previous release, wait for next release, etc). As every vulnerability has a different likelihood of occurrence and different risk impact – our process is flexible while still protecting our customers.
Can vulnerabilities scanners have false positives re: DROWN?
Yes, due to bug in OpenSSL – OpenSSL may still accept SSLv2 traffic even if SSLv2 cipher suites are disabled. Please see information on CVE-2015-3197 at https://www.openssl.org/news/secadv/20160128.txt for more information.
Does KEMP track upstream security vulnerabilities?
Yes. Our job as a vendor is for us to understand, manage, and accept residual risk – we have policies and procedures in place to proactively monitory and address security issues when those occur.
We are ultimately responsible for the risk profile of our product – our goal is to ship with no known vulnerabilities. When vulnerabilities are found our goal is to communicate honestly and clearly and get fixes out as soon as responsibly possible.
Is the KEMP website affected by DROWN?
No – we use KEMP Loadmasters. However, we are currently working with some of our service providers to understand if they are affected by DROWN and will take appropriate response actions if so.
DROWN Web site – https://drownattack.com/
The Register – http://www.theregister.co.uk/2016/03/02/drown_exploitability_analysis/
NVD – https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0800