Ecessa software versions 10.2.24, 10.4.6 and newer, all versions of 10.5, and all versions of 10.6 are not vulnerable to this issue. Both SSLv2 and SSLv3 ciphers are disabled and could not be used to exploit this vulnerability.
Description of vulnerability:
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.
Limiting access using Management Acess Lists - https://support.ecessa.com/hc/en-us/articles/200437253-How-do-I-limit-management-access-to-the-Ecessa-appliance-
Configuring access to services - https://support.ecessa.com/hc/en-us/articles/200144096-Configure-Services
Upgrading Ecessa devices - https://support.ecessa.com/hc/en-us/articles/200143446-How-do-I-upgrade-the-firmware-on-the-Ecessa-appliance-
0 Comments