Identity Manager : OpenSSL vulnerability DROWN (CVE-2016-0800)

  • 7017374
  • 16-Mar-2016
  • 16-Mar-2016

Environment

NetIQ Identity Manager 4.5.x

Situation

Is Identity Manager susceptible to the DROWN attack?

Resolution

In technical terms, DROWN is a new form of cross-protocol Bleichenbacher padding oracle attack (http://crypto.stackexchange.com/questions/12688/can-you-explain-bleichenbachers-cca-attack-on-pkcs1-v1-5). It allows an attacker to decrypt intercepted TLS connections by making specially crafted connections to an SSLv2 server that uses the same private key

CVE:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0800

Details:

https://drownattack.com/

What is vulnerable?

Any server product which provides SSLv2, or is potentially hosted under SSLv2 is potentially vulnerable.

IDM is not vulnerable to the DROWN attack because

  • The native components utilizing OpenSSL already disabled SSLv2 (&SSLv3) as a part of the POODLE fix.
  • Java apps using JSSE are not vulnerable as SSLv2 is not implemented