IBMF0B092373334E38FCDE82749B2473B205DF96A447D86DFF6BEC3AE69A13A098CSecurity Bulletin: SSLv2 DROWN Vulnerability (CVE-2016-0800)
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
Question
Security Bulletin: SSLv2 DROWN Vulnerability (CVE-2016-0800)
Answer
Description
A vulnerability has been found in the SSLv2 protocol which affects older versions of Aspera products. Newer versions of Aspera products no longer support SSLv2 and so are not affected by this vulnerability. The best solution therefore is to upgrade your products.
The DROWN (Decrypting RSA using Obsolete and Weakened Encryption) is a cross-protocol attack that can be used to decrypt RSA cipher text. This vulnerability affects all implementations of SSLv2.
Affected Products
- IBM Aspera Faspex Application 3.9.2 and earlier
- IBM Aspera Shares 1.9.2 and earlier
- IBM Aspera Proxy 1.2.2 and earlier
- IBM Aspera Point to Point 3.5.5 and earlier
- IBM Aspera Enterprise Server 3.5.5 and earlier
- IBM Aspera OnDemand 3.5.4 and earlier
- IBM Aspera Orchestrator 2.3.0 and earlier
- IBM Aspera Console 3.0.1 and earlier
Note: All of these products have newer versions where SSLv2 is disabled and thus in which this vulnerability is no longer an issue.
Remediation
If you are not able to upgrade your product to address this issue you can simply disable SSLv2 yourself in order to secure your product against this vulnerability. Follow the configuration instructions below for your product.
Apache (Faspex Console Orchestrator)
Modify the configuration file at the following location:
- Linux:
/opt/aspera/common/apache/conf/extra/httpd-ssl.conf - Windows:
C:\Program Files (x86)\Common Files\Aspera\Common\apache\conf\extra\httpd-ssl.conf
Modify or add the SSLProtocol configuration to exclude SSLv2 as shown below:
SSLProtocol all -SSLv2 -SSLv3
Nginx (Shares)
Modify the configuration file at the following location:
- Linux:
/opt/aspera/shares/etc/nginx/nginx.conf - Windows:
C:\Shares\nginx\conf\nginx.conf
Modify or add the ssl_protocols configuration so that SSLv2 is not included as shown below:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
asperanoded asperahttpd (Enterprise Server Proxy)
Modify the configuration file at the following location:
- Linux:
/opt/aspera/etc/aspera.conf - Windows:
C:\Program Files (x86)/Aspera/product_name\etc\aspera.conf - Mac:
/Library/Aspera/etc/aspera.conf
Modify or add the <ssl_protocol> configuration which is found in the <server> section to match the following:
<ssl_protocol>tlsv1</ssl_protocol>
[{“Business Unit”:{“code”:“BU053”,“label”:“Cloud & Data Platform”},“Product”:{“code”:“SS8NDZ”,“label”:“IBM Aspera”},“Component”:“”,“Platform”:[{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“All Versions”,“Edition”:“”,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}}]
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm aspera | eq | any |
Related
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N