2016-03-07 Instructure Advisory IAC42086 - SSLv2 DROWN Attack

Document created by Wade Billings Employee on Mar 7, 2016Last modified by Wade Billings Employee on Nov 16, 2016
Version 7Show Document
  • View in full screen mode

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

 

  Release Date:2016-03-07
  Description:SSLv2 DROWN Attack
  Criticality Level:High
  Impact:Potential Exposure of Sensitive Data
  Systems Affected:Potential impact includes all platforms/sites protected by HTTPS
  Solution Status:Closed/Resolved
  Discovered By:Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni, Emilia Käsper, Shaanan Cohney, Susanne Engels, Christof Paar, and Yuval Shavitt
  Relevant Changesets:

None


 

Summary:

Recently, a new SSL vulnerability was discovered by a group of security researchers. The vulnerability has been given the name "DROWN", which is an acronym for "Decrypting RSA with Obsolete and Weakened eNcryption." The gist of the vulnerability is if a site is configured to support SSLv2, which is a deprecated version of the SSL (Secure Socket Layer) protocol, the encryption can be compromised by a third party.

 

Status:

Instructure operations has concluded that only one of its sites/services, an internal QA tool, was configured with the deprecated version of the SSL protocol. The potentially vulnerable site has since been reconfigured to disable SSLv2 and all associated cyphers.

 

Because of strict network isolation between pre-production and production environment, the risk to production environments was mitigated.

 

Further Information:

https://drownattack.com/ 

https://www.openssl.org/news/secadv/20160301.txt

NVD - Detail

https://drownattack.com/drown-attack-paper.pdf


Attachments

    Outcomes