Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-6430: Does CVE-2016-0800 or CVE-2016-0703 affect Centrify?

Centrify DirectAudit ,   Centrify DirectControl ,  

28 June,16 at 01:45 PM

Applies to Centrify Server Suite on all platforms.

Description:
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.
Reference link:
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800)


The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.
Reference link:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0703
 
Question:
  • Has Centrify been affected by the above vulnerability?  And when will Centrify be releasing a fix for this?
Answer:
  • The CVE states this flaw is an SSLv2 protocol issue which this DROWN vulnerability takes advantage of.
  • Centrify product DirectControl / DirectAudit uses openSSL crypto library, but do not use SSL. We use kerberos for authentication, and all LDAP traffics are protected by GSSAPI privacy.
  • We also do use cURL for HTTPS in support of getting CRL for certificate auto-enrollment.  This is client process, so it largely depends on what HTTPS server does.
  • It can cause threats if non-Centrify application uses SSLv2 using our OpenSSL library. As long as other applications do not use SSLv2 with our library, there is no vulnerability that can be taken advantage of.
  • We do not ever claim to provide OpenSSL as this is for our own usage.  This is because we rely on the specific crypto the library provides.  We do not intend this to be used by anything outside of Centrify.
  • If ones choose to link their code to our shipped library and their code utilizes this in a way affected by the vulnerability, then the DROWN vulnerability applies.
 
Note:
  • DirectControl is built on openssl 0.9.8, and have been keeping up with the updates.   Suite 2016 is built on and includes openssl 0.9.8zg.
  • We will be upgrading to openssl 1.0.2 in Suite 2016.1, so if this is a concern, we would recommend upgrading ASAP when it is released
 
 

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

No related Articles