CVSS v2 Base Score
s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers. If clear-key bytes are present for these ciphers, they *displace* encrypted-key bytes. This leads to an efficient divide-and-conquer key recovery attack: If an eavesdropper has intercepted an SSLv2 handshake, they can use the server as an oracle to determine the SSLv2 master-key, using only 16 connections to the server and negligible computation.
Find more about CVE-2016-0703 from MITRE CVE directory.
All FoxT products have the SSLv2 protocol disabled and are thus not affected by this vulnerability.
Still have questions? We can help. Submit a case to Technical Support.