Security Bulletin: SSLv2 DROWN Vulnerability (CVE-2016-0800)

Description

A vulnerability has been found in the SSLv2 protocol which affects older versions of Aspera products. Newer versions of Aspera products no longer support SSLv2 and so are not affected by this vulnerability. The best solution therefore is to upgrade your products.

The DROWN (Decrypting RSA using Obsolete and Weakened Encryption) is a cross-protocol attack that can be used to decrypt RSA cipher text. This vulnerability affects all implementations of SSLv2.

Affected Products

  • IBM Aspera Faspex Application 3.9.2 and earlier
  • IBM Aspera Shares 1.9.2 and earlier
  • IBM Aspera Proxy 1.2.2 and earlier
  • IBM Aspera Point to Point 3.5.5 and earlier
  • IBM Aspera Enterprise Server 3.5.5 and earlier
  • IBM Aspera OnDemand 3.5.4 and earlier
  • IBM Aspera Orchestrator 2.3.0 and earlier
  • IBM Aspera Console 3.0.1 and earlier
Note: All of these products have newer versions where SSLv2 is disabled and thus in which this vulnerability is no longer an issue.

Remediation

If you are not able to upgrade your product to address this issue, you can simply disable SSLv2 yourself in order to secure your product against this vulnerability. Follow the configuration instructions below for your product.

Apache (Faspex, Console, Orchestrator)

Modify the configuration file at the following location:

  • Linux: /opt/aspera/common/apache/conf/extra/httpd-ssl.conf
  • Windows: C:\Program Files (x86)\Common Files\Aspera\Common\apache\conf\extra\httpd-ssl.conf


Modify or add the SSLProtocol configuration to exclude SSLv2 as shown below:

SSLProtocol all -SSLv2 -SSLv3

Nginx (Shares)

Modify the configuration file at the following location:

  • Linux: /opt/aspera/shares/etc/nginx/nginx.conf
  • Windows: C:\Shares\nginx\conf\nginx.conf


Modify or add the ssl_protocols configuration so that SSLv2 is not included as shown below:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

asperanoded, asperahttpd (Enterprise Server, Proxy)

Modify the configuration file at the following location:

  • Linux: /opt/aspera/etc/aspera.conf
  • Windows: C:\Program Files (x86)/Aspera/product_name\etc\aspera.conf
  • Mac: /Library/Aspera/etc/aspera.conf


Modify or add the <ssl_protocol> configuration, which is found in the <server> section, to match the following:

<ssl_protocol>tlsv1</ssl_protocol>
Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk