Message Image

Skip main navigation (Press Enter).

Messaging Gateway

View Only

Back to discussions

Expand all | Collapse all

Is SMG 10.5.4-4 affected by CVE-2016-0800?

curranbazMar 08, 2016 11:32 AM

Was asked to check our estate using this link to see if we were vulnerable to CVE-2016-0800 . It ...

TomVieMar 10, 2016 01:09 AM

Hi, If i got the drown-attack right disabling SSLv3 and earlier is solving the issue. I only tested ...

1. Is SMG 10.5.4-4 affected by CVE-2016-0800?

0 Recommend
curranbaz
Posted Mar 08, 2016 11:32 AM

Reply Reply Privately
Was asked to check our estate using this link to see if we were vulnerable to CVE-2016-0800. It is showing our mail servers as vulnerable but just wondering whether I need to upgrade to the latest version (was holding off as advised by Symantec support until all issues had been ironed out). Alternatively do we just need to disable support for SSLv3 and earlier in Protocols > Settings > SMTP > SSL Restrictions?

Regards,

Barry
2. RE: Is SMG 10.5.4-4 affected by CVE-2016-0800?

0 Recommend
TomVie
Posted Mar 10, 2016 01:09 AM

Reply Reply Privately
Hi,

If i got the drown-attack right disabling SSLv3 and earlier is solving the issue.

I only tested it on 10.6.0-7, by selecting the checkbox "Disable support for SSLv3 and earlier protocols in all SMTP TLS conversations" SMG does not answer with a SSLv2 header handshake and therefore you're fine.

If the option is not set (SSLv3 and earlies enabled) a session header is exchanged - and drown is possible. Even though no ciphers are bound to SSLv2.

This applies only to SMTP (starttls), https is a different story. Just be sure to have port 443 ONLY available from your net.

Thomas

Copyright 2019. All rights reserved.

Powered by Higher Logic