Last week’s OpenSSL security advisory reminded us, once again, how broken SSLv2 is. CVE-2016-0800 aka DROWN, yet another vulnerability with a catchy name, is a newest one.
The vulnerability presents when an SSL server supports both SSLv2 with EXPORT ciphers, and TLSv1.x to establish SSL connections using the same private RSA key on both versions, as is generally the case. In this scenario, breaking an SSLv2 connection, made easier by another vulnerability CVE-2016-0703, enables an attacker to also compromise TLS sessions on the server.
We want to reassure our concerned customers that NetScaler is unaffected by DROWN. NetScaler MPX-FIPS, NetScaler SDX, Command Center Appliance and Insight Center have since long removed support for SSLv2 while NetScaler MPX and NetScaler VPX disable SSLv2 by default. This was recently pointed out in response to January 2016 OpenSSL issues as well. If customers have SSLv2 enabled on their NetScaler deployments we recommend that they move to TLSv1.1 at a minimum.
Here’s how to turn off SSLv2 on NetScaler – https://www.citrix.com/content/dam/citrix/en_us/citrix-developer/documents/Netscaler/how-to-disable-ssl-v2-on-ns-v3.pdf
Get your NetScaler an A+ rating on SSL – https://www.citrix.com/blogs/2015/05/22/scoring-an-a-at-ssllabs-com-with-citrix-netscaler-the-sequel/