COVID-19 EMERGENCY RESPONSE We stand with our partners, business customers, and especially our first and emergency responders on the front lines of this crisis. Read More

CPSEC-9: OpenSSL vulnerable to DROWN attack

October 19, 2018

Summary: The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products and required a server to send a ServerVerify message before establishing the client possesses certain plaintext RSA data. This action makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a “DROWN” attack. Cradlepoint routers were not affected by this vulnerability (CVE-2016-0800).

Mitigation: Update firmware to version 6.1.0 or newer as part of the normal maintenance schedule.

CVE-2016-0800 NIST/NVD Detail