DROWN at Qualys

On March 1st the DROWN vulnerability in openssl was disclosed. Exploited successfully by an attacker it can lead to decryption of SSL/TLS sessions.

On March 2nd our internal scanning indicated that we had 3 servers that were susceptible to DROWN. These 3 servers were part of a partner facing version of an application that was in the process of being decommissioned. No DNS names were connected to the servers anymore, but the IP addresses were still accessible.

On March 3rd we received a number of queries regarding the configuration of these servers and their susceptibility to DROWN. After verifying with the partner affected to assure that there was no more use of the servers, we turned off access to the respective services.

The certificate that was served on these machines is being reemitted with a new private key.