Ecessa Addresses DROWN — Newer Versions of Firmware Not Vulnerable

Ecessa software revisions guard against drown vulnerabilities

If you’re using the latest versions of firmware on your Ecessa device, it is not at risk with regards to CVE-2016-0800 – DROWN – Cross-protocol attack on TLS using SSLv2. Ecessa firmware versions 10.2.24, 10.4.6 and newer, all versions of 10.5, and all versions of 10.6 are not vulnerable to this issue.  Both SSLv2 and SSLv3 ciphers are disabled and could not be used to exploit this vulnerability.

Description of vulnerability:

The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a “DROWN” attack.

For related topics and for instructions on how to upgrade Ecessa firmware, please see the articles below.

Limiting access using Management Acess Lists –

Configuring access to services –

Upgrading Ecessa devices –