Network traffic encrypted using an RSA-based SSL certificate may be decrypted if enough SSLv2 handshake data can be collected. Exploitation of this vulnerability—referred to as DROWN in public reporting—may allow a remote attacker to obtain the private key of a server supporting SSLv2.
Symas encourages users and administrators to review Vulnerability Note VU#583776 and read OpenSSL’s advisory for additional information.
Remediation: Symas OpenLDAP can be protected against DROWN by doing the following:
Ensure you are running Symas OpenLDAP release 2.4.40-1 or later. If you need to upgrade, the latest release, 2.4.43-1, can be downloaded at https://symas.com/downloads
Set TLSProtocolMin to completely disable all protocols below 3.1. To do this, add the following to the global section of your slapd.conf file (slapd restart required): TLSProtocolMin 3.1 Or, if you use cn=config, add: olcTLSProtocolMin: 3.1
For questions or concerns, please contact Symas Support.
Comments