DROWN security threat
Janus Network Security customers should be aware of a security threat known as the "DROWN attack" (https://drownattack.com/). DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) allows an attacker to decrypt intercepted TLS connections by making specially crafted connections to an SSL V2 server that uses the same private key.
Recommendations
The DROWN threat exploits a security vulnerability of SSL ports that use SSL V2. In response, the Rocket M204 security team has the following recommendations:
1. Disable SSL V2
- On Model 204 7.5 and later, SSL V2 support is already disabled. This eliminates exposure to the DROWN attack.
- On an older version of Model 204, set the Janus port parameter SSLPROT to X'1E' on all Janus SSL ports. This disables SSL V2. The SSLPROT default for these versions is X'07'.
- Make sure that Janus ports do not share certificates with any ports that support SSL V2. Even ports that do not support SSL V2 are vulnerable to the DROWN attack if they share certificates with ports that do.
It is also strongly recommended that you upgrade to Model 204 7.6 as soon as possible.
2. Disable SSL V3
For customers running Model 204 7.5 and later, while SSL V3 is not considered a major security exposure, Rocket Technical Support recommends also disabling SSL V3.
To do this, specify one of the following settings on all Janus SSL ports:
- Recommended, if possible in your environment: Set SSLPROT X'10', which only allows TLS 1.2. (This approach could be problematic, however, as there are still quite a few SSL clients that do not support TLS 1.2.)
- Next best alternative: Set SSLPROT X'18', which disables TLS 1.0.
- Or, set SSLPROT X'1C'.
See also
For more technical information about the DROWN attack, see: https://drownattack.com/drown-attack-paper.pdf
If you have further questions about this DROWN issue, contact Rocket Technical Support at Support@RocketSoftware.com.