DROWN Vulnerability - (CVE-2016-0800)

Updated March 11, 2016

On Tuesday, March 1, 2016, a new vulnerability was announced in a commonly used, but older protocol called Secure Sockets Layer version 2 (SSL v2).  Researchers identified the DROWN (Decrypting RSA with Obsolete and Weakened Encryption), where an attacker repeatedly observes connections over a long period of time, and may be able to eventually decrypt one of the sessions. DROWN is not easy to exploit and takes multiple sessions and time.  While this can be expedited via scripting massive amounts of connections, Ceridian has mitigating controls in place to detect and prevent this.  

What has Ceridian done?

Ceridian removed SSL v2 support from a number of our critical systems by March 3rd. This week, Ceridian updated our intrusion prevention and intrusion detection systems to block and alert for any attempts to exploit DROWN.  At present, we have seen no attempts to exploit DROWN.

Ceridian has scheduled a change to our technical infrastructure that will disable any SSL v2 traffic next week.

What should Ceridian customers do?

Desktop browser side protection: Customers should be aware that older browsers are vulnerable when used to access any web page that supports SSLv2. Therefore, customers should ensure they have updated to more current versions of their supported browsers; or manually disabled all SSL versions and enabled TLS v1. All Ceridian web pages’ support TLS v1.

For help with enabling TLS on IE, Firefox, Safari and Chrome, click here.