DROWN Vulnerability

March 02, 2016
The recently announced Drown attack is a new technique for reading the contents of secure messages. This vulnerability affects computers that run a type of protection known as SSLv2, and through observation of multiple SSL handshakes followed by repeated connection initiations, could allow an attack to decrypt TLS encrypted cypher text.
 
On-Premises Customers
Microsoft IIS version 7 and above, and versions 3.13 and above of the NSS crypto library all have SSLv2 disabled by default.  You can check if you are vulnerable by visiting https://www.ssllabs.com/ssltest/index.html and entering your server URL.
There is also a test at http://test.drownattack.com.  Please note that this test uses cached data, so may not reflect recent patches across all servers.
Instructions for disabling SSLv2 on older IIS versions can be found here: https://support.microsoft.com/en-us/kb/187498.
OpenSSL isn’t part of MobiControl, so should not be an issue for SOTI clients.
 
Cloud Customers
MobiControl Cloud customers are NOT vulnerable to this this attack.
As part of the setup and hardening process for MobiControl Cloud servers, we ensure all unnecessary protocols are disabled, including SSLv2.
 
SOTI Services
The systems that host SOTI Services have been patched and are not vulnerable to this type of attack.