Minimize Your Exposure to a DROWN Attack Patching and Remediation Will Protect Openssl HTTPS Websites That Are at Risk

THREAT BRIEF

Minimize Your Exposure to a DROWN Attack Patching and Remediation Will Protect OpenSSL HTTPS Websites that Are at Risk

Executive Summary A new OpenSSL vulnerability, DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) affects servers using SSLv2. DROWN lets an attacker perform MITM attacks on TLS connections in under 1 minute by sending probes to servers that support SSLv2. Announced on March 1, 2016, the vulnerability impacts roughly 33% of web servers worldwide. But its impact is even larger than those numbers indicate. Other services that allow SSLv2, including, email servers, embedded system, web applications, and software supporting SSL/TLS are also vulnerable.

Automating Replacement Increases Speed and Efficiency STEP 3 is particularly important because after you patch, keys and certificates Three Steps for remain vulnerable—unless you take action. The Venafi Trust Protection Platform Remediating DROWN helps you quickly replace all vulnerable keys and certificates. By automating the Called Heartbleed 2.0 by some, process, the solution reduces the risks of human error and delivers a faster path DROWN is widespread and serious. to safety. Here’s where Venafi can help. Like Heartbleed, DROWN requires ™ immediate remediation. A patch is •• Venafi TrustAuthority identifies SSLv2 enabled systems under Venafi’s already available, but because the control via validation reporting. Then it creates new keys in compliance with vulnerability persists even after your policies and generates new certificate signing requests (CSR) you patch, here’s what Venafi •• Venafi TrustForce™ automatically replaces keys and certificates on recommends: impacted systems

•• Venafi TrustAuthority™ continually monitors your environment for anomalies STEP 1: Patch and validates all keys and certificates have been replaced and old ones have Apply the patch that OpenSSL been revoked has already provided to deprecate support for SSLv2. The Value of Protecting Your Keys and Certificates STEP 2: Block. DROWN reinforces the challenge of too much blind trust when it comes to SSL/TLS certificates and keys. This most recent attack also emphasizes the Disable support for SSLv2 on importance of being able to replace keys and certificates rapidly—just like you any system that allows SSL/TLS would for potentially compromised passwords. connections. Threats like DROWN are serious because cybercriminals use SSL/TLS to hide STEP 3: Replace. attacks, evade detection, and bypass critical security controls. Gartner estimates Generate a new private key that by 2017, more than 50% of network attacks will use SSL/TLS.1 Most and obtain a new certificate to organizations lack the ability to decrypt and inspect SSL communications to replace existing private keys detect these threats. This blind spot undermines traditional layered defenses on impacted servers. and creates an unacceptable risk of breach and data loss.

Venafi Provides the Visibility and Control You Need With Venafi, robust key and certificate management maximizes the encrypted traffic that can be decrypted and inspected. Venafi integrates with leading SSL decryption systems, NGFW, IPS, UTM, secure gateways, DLP, anti-malware ©2016 Venafi, Inc. All rights reserved. Venafi and solutions, and more, to automate the entire process of distribution, installation, the Venafi logo are trademarks of Venafi, Inc. and validation, eliminating the blind spots in your threat detection strategy.

www.venafi.com THREAT BRIEF I MINIMIZE YOUR EXPOSURE TO A DROWN ATTACK