Environment
NetIQ eDirectory 9.0.1
NetIQ eDirectory 8.8 SP8 Patch 8
NetIQ iManager 3.0.1
NetIQ iManager 2.7 Sp7 Patch 7
NetIQ LDAP Proxy 1.5.2
CVE-2016-0800 / CVE-2015-7547: DROWN cross protocol attack on TLS using SSLv2
CVE-2015-3197: SSLv2 doesn't block disabled ciphers
NetIQ eDirectory 8.8 SP8 Patch 8
NetIQ iManager 3.0.1
NetIQ iManager 2.7 Sp7 Patch 7
NetIQ LDAP Proxy 1.5.2
CVE-2016-0800 / CVE-2015-7547: DROWN cross protocol attack on TLS using SSLv2
CVE-2015-3197: SSLv2 doesn't block disabled ciphers
Situation
Where can a listing be found of current eDirectory, iManager and LDAP Proxy versions and what version of SSL\TLS they support.
Are any of the above products vulnerable to the DROWN attack? With all the weaknesses found in older SSL protocols, such as SSLv2, administrators are interested to know if current versions of eDirectory still support these and which support the newer protocols like TLS 1.2.
Are any of the above products vulnerable to the DROWN attack? With all the weaknesses found in older SSL protocols, such as SSLv2, administrators are interested to know if current versions of eDirectory still support these and which support the newer protocols like TLS 1.2.
Resolution
eDirectory 8.8 SP8 & 9.0
SSLv2: - eDirectory 8.8.8 Linux
- this protocol has always been disabled and cannot be manually re-enabled.
- eDirectory 8.8.8 Windows
- A vulnerability
has been found in OpenSSL, CVE-2015-3197, that allows disabled ciphers to
continue to be used by clients. This has been addressed in 8.8 SP8 Patch 8.
- eDirectory 9.0
- By default 9.0 is in FIPS mode which will
not allow SSLv2. However, the server can still be configured to allow
it. This has been resolved in 9.0's first patch, 9.0.1.
SSLv3:
- HTTPS
- Both eDirectory 8.8 SP8 and 9.0 have SSLv3 disabled by default in their HTTPS stack and it cannot be enabled.
- LDAPS
- 8.8SP8
- Enabled by default for LDAPS. SSLv3 support can be disabled in iManager using the LDAP Options role.
- 9.0.x
- By default, eDirectory is in FIPS mode which will not allow SSLv3 ciphers. To disable FIPS mode and allow SSLv3 handshakes, pass n4u.server.fips_tls=0 as a parameter for the ndsconfig set command and restart the server. Example: ndsconfig set n4u.server.fips=0.
TLSv1.0:
- 8.8 SP8: this is the highest supported. If SSLv3 is disabled then only TLS 1.0 is available.
- 9.0: supports TLS 1.0, 1.1 & 1.2.
TLSv1.1 & 1.2:
- Only eDirectory 9.0 can support these handshakes. To configure eDirectory 9.0 to only allow TLS 1.2 please see: TID 7017644
iManager 2.7 SP7 & 3.0
SSLv2:
- Support for this was removed from iManager years ago. Therefore, both versions cannot fallback to the old ciphers and are immune to the DROWN vulnerability and CVE-2015-3197.
- Both 2.7 SP7 & 3.0 have this disabled and it cannot be manually re-enabled.
SSLv3:
- In both versions of iManager this is disabled by default. However, this can be enabled for older browsers by editing the JRE java.security and Tomcat server.xml files. For more information:
TLSv1.0, 1.1 & 1.2:
- Both iManager 2.7 SP7 and iManager 3.0 support TLS versions 1.0, 1.1 and 1.2.
LDAP Proxy 1.5.2
- SSLv2:
- SSLv2 has been completely removed from the 1.5.1 version of the LDAP Proxy. Therefore, it is immune to the DROWN attack.
- SSLv3:
- By default this is disabled. However, both the back-ends and listener can be configured to listen using SSLv3 if older clients are still in use.
- TLSv1.0, 1.1 & 1.2:
- These are all fully supported.
In summary, the products mentioned above are now immune to Drown.