March 02, 2016
The recently announced Drown attack is a new technique for reading the contents of secure messages. This vulnerability affects computers that run a type of protection known as SSLv2, and through observation of multiple SSL handshakes followed by repeated connection initiations, could allow an attack to decrypt TLS encrypted cypher text.
Microsoft IIS version 7 and above, and versions 3.13 and above of the NSS crypto library all have SSLv2 disabled by default. You can check if you are vulnerable by visiting https://www.ssllabs.com/ssltest/index.html
and entering your server URL.
There is also a test at http://test.drownattack.com
. Please note that this test uses cached data, so may not reflect recent patches across all servers.
OpenSSL isn’t part of MobiControl, so should not be an issue for SOTI clients.
MobiControl Cloud customers are NOT vulnerable to this this attack.
As part of the setup and hardening process for MobiControl Cloud servers, we ensure all unnecessary protocols are disabled, including SSLv2.
The systems that host SOTI Services have been patched and are not vulnerable to this type of attack.