DROWN SSL Security Alert March 2016


Epicor has been keeping apprised of a vulnerability in the SSL 2.0 protocol, CVE-2016-0800, also known as DROWN, which stands for Decrypting RSA using Obsolete andWeakened eNcryption and is a Man-in-the-Middle (MITM) attack against servers running TLS for secure communications. The issue is actually quite tricky to exploit by itself, but made easier on servers that are not up to date with some previous year-old OpenSSL security updates. Red Hat has a vulnerability article in the Customer Portal which explains the technical attack and the dependencies in more detail.

Recommended Customer Actions

Red Hat recommends that customers immediately apply available updates to remediate the issue. Rebooting the system after updating is the safest way to ensure all affected services use the updated ssl library.

Microsoft IIS versions 7.0 and above should have SSLv2 disabled by default. If you are running an older version of IIS, you will need to disable insecure protocols following these instructions from Microsoft.


Q. How can I check whether or not my Linux server is vulnerable?
A. Log into your Linux server and run the command below:

curl -Ls http://bit.ly/checkDROWN | sh

For example, the following output, run against an Eclipse Linux server shows that the software needs to be updated:

[root@eclipsetest ~]# curl -Ls http://bit.ly/checkDROWN | sh

WARNING: The installed version of openssl (openssl-1.0.1e-16.el6_5.14) is vulnerable to both general and special DROWN attack and should be upgraded!
See https://access.redhat.com/security/vulnerabilities/drown for more information.

The installed version of openssl-libs (package openssl-libs is not installed) is not vulnerable to DROWN.

Q. How can I check whether my external web server (e.g. WOE, mobile) is vulnerable?
A. Use this tool.