Personal Safeguards

DocuSign's first priority is to make your DocuSigning experience safe and secure.

The Internet is a critical component to your business and to conducting business on the DocuSign Global Network. Those committing fraud seek to take advantage of this trusted relationship for illegal purposes. DocuSign continuously monitors for such activity in order to help safeguard our customers' information, documents, and data.

You are the first and best layer of defense in combating online fraud. Learning to properly detect and avoid online and email scams is the ultimate protection against fraud. 

Key Resources:  Phishing FAQ, Combating Phishing Resource Guide, Indicators of Compromise


Updates And Alerts Stay Informed @askDocusign on Twitter

Update 6/12/2017 @ 9:24 AM Pacific Time – New Phishing Campaign Observed Today

DocuSign has observed a new phishing campaign that began the morning of June 12 (Pacific Time). The email comes from William Scott “william_scott@flexovitportal.com” with the subject “Please review your document Invoice <1234567> for <recipientdomain.com>” and it contains a link to a malicious, macro-enabled Word document. Do not click the link in this email, instead please forward it to spam@docusign.com and then delete the email immediately. For more information on how to spot phishing please see our phishing white paper.  

Update 5/18/2017 @ 9:30 PM Pacific Time – Follow @askdocusign on Twitter for latest updates

If you would like to be automatically informed about the latest security updates and alerts, please follow @askdocusign (DocuSign Support) on Twitter, where we will be posting notifications when the Trust Center is updated.

Update 5/17/2017 @ 1:02 PM Pacific Time – New Phishing Campaign Discovered Today

DocuSign has observed a new phishing campaign that began the morning of May 16 (Pacific Time). The email comes from “dse@dousign.com” with the subject “Legal acknowledgement for <person> Document is Ready for Signature” and it contains a link to a malicious, macro-enabled Word document. We suggest you do not open this email, but rather delete it immediately.

Update 5/16/2017 @ 8:55 Pacific Time – Key Update on Malicious Campaign

As part of our commitment to updating everyone as we identify new information during our investigation, we can now confirm that only people with a DocuSign account were impacted by this incident – those who signed a document without a DocuSign account were not among the list of email addresses that were accessed maliciously. That said, even though an employee or customer of yours would not be on the list unless they had an account with DocuSign, we would still encourage you to utilize the existing materials on the DocuSign Trust Center to help them avoid being the victims of phishing.

As an update to the frequently-asked questions we originally included below:

Q: Have the email addresses of my employees, customers or customers’ customers been exposed as part of this incident?
A: As part of our ongoing investigation, we can now confirm that no signers were on the list of email addresses that was accessed maliciously unless they had signed up for a DocuSign account. That could include direct DocuSign customers; someone who signed a document and elected to open a DocuSign account; or someone who signed up for a DocuSign freemium account – via docusign.com, through a partner integration, or via the DocuSign mobile client.

Q: Do I need to communicate to all of them?
A: We would encourage you to utilize the existing materials on the Trust Center to help your employees, customers or customers’ customers protect themselves from phishing attacks.

As always, please continue to email service@docusign.com or call +1-800-379-9973 with any additional questions.

Update 5/16/2017 @ 3:45 PM Pacific Time - DocuSign Phishing Campaigns – Indicators of Compromise

To assist customers concerned about the recent phishing incident, we’re posting this resource which contains a list of Indicators of Compromise (IOCs) which can be used by Enterprise IT and Security Teams to detect malicious activity related to this incident. DocuSign is committed to protecting your data and providing you with the latest information and resources to keep you safe.

Update 5/16/2017 @ 12:21 PM Pacific Time - Update on Malicious Campaign

As an update on the malicious phishing incident, we wanted to share some of the most frequent questions that we have been receiving in the past 12 hours. We will continue to update this site with new information as it becomes available.

Q: What actually happened?

A:

  • Last week and again yesterday, DocuSign detected an increase in phishing emails sent to some of our customers and users – and we posted alerts on the DocuSign Trust Center and in social media.
  • The emails “spoofed” the DocuSign brand in an attempt to trick recipients into opening an attached Word document that, when clicked, installs malicious software.
  • As part of our process in routine response to phishing incidents, we confirmed that DocuSign’s core eSignature service, envelopes and customer documents remain secure.
  • However, as part of our ongoing investigation, yesterday we confirmed that a malicious third party had gained temporary access to a separate, non-core system used for service-related announcements.
  • A complete forensic analysis has confirmed that only a list of email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed; DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.

Q: Is my DocuSign envelope and data secure?

A: As part of our process in response to phishing incidents, we confirmed that DocuSign’s core eSignature service, envelopes and customer documents remain secure.

Q: Has my instance of DocuSign been impacted?

A: We have no evidence that there is any impact to any instance of DocuSign, and as part of our process in response to phishing incidents, we confirmed that DocuSign’s core eSignature service, envelopes and customer documents remain secure.

Q: What information was impacted?

A: It was a list of email addresses stored in a separate, non-core system used for service-related announcements.

Q: Have the email addresses of my employees, customers or customers’ customers been exposed as part of this incident?

A: As part of our ongoing investigation, we can now confirm that no signers were on the list of email addresses that was accessed maliciously unless they had signed up for a DocuSign account. That could include direct DocuSign customers; someone who signed a document and elected to open a DocuSign account; or someone who signed up for a DocuSign freemium account – via docusign.com, through a partner integration, or via the DocuSign mobile client.

Q: Do I need to communicate to all of them?

A: We would encourage you to utilize the existing materials on the DocuSign Trust Center to help your employees, customers or customers’ customers protect themselves from phishing attacks.

Q: How many people were affected? How many email addresses compromised?

A: Right now we are still acting on the results of our ongoing investigation and cannot comment on those details.

Q: What systems were impacted?

A: As part of our ongoing investigation, we confirmed that a malicious third party had gained temporary access to a separate, non-core system used for service-related announcements.

Q: Why did we have to hear about it via social media?

A: We have been actively communicating via the DocuSign Trust Center since last week when we first discovered the increase in phishing emails to customers and users. Then as soon as we saw the increase on Monday this week, we updated the Trust Center and posted updates across our Web site and social media channels. We are also working on direct customer outreach.

Q: Was any other information impacted outside of my email address?

A: A complete forensic analysis has confirmed that only a list of email addresses were accessed: no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed; DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.

Q: How are you so sure only my email address was impacted?

A: A complete forensic analysis has confirmed that only a list of email addresses were accessed: no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed. DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.

Q: What should I do about this?

A: We recommend taking the following steps to ensure the security of your email and systems:

  • Delete any emails with the subject line, “Completed: [domain name] – Wire transfer for recipient-name Document Ready for Signature” and “Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature”. These emails are not from DocuSign. They were sent by a malicious third party and contain a link to malware spam.
  • Forward any suspicious emails related to DocuSign to spam@docusign.com, and then delete them from your computer. They may appear suspicious because you don’t recognize the sender, weren’t expecting a document to sign, contain misspellings (like ‘@docusgn.com’ without an ‘i’ or @docus.com), contain an attachment, or direct you to a link that starts with anything other than https://www.docusign.com or https://www.docusign.net.
  • Ensure your anti-virus software is enabled and up to date.
  • Review our whitepaper on phishing available at https://trust.docusign.com/static/downloads/Combating_Phishing_WP_05082017.pdf

Q: I/one of my employees opened a suspicious email, what should I do?

A: If possible ensure that they do not click the link and/or install malicious code. We would also recommend continual education and content updates to your internal teams in terms of best practices around phishing. And we recommend taking the following steps to ensure the security of your email and systems:

  • Delete any emails with the subject line, “Completed: [domain name] – Wire transfer for recipient-name Document Ready for Signature” and “Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature”. These emails are not from DocuSign. They were sent by a malicious third party and contain a link to malware spam.
  • Forward any suspicious emails related to DocuSign to spam@docusign.com, and then delete them from your computer. They may appear suspicious because you don’t recognize the sender, weren’t expecting a document to sign, contain misspellings (like ‘@docusgn.com’ without an ‘i’ or @docus.com), contain an attachment, or direct you to a link that starts with anything other than https://www.docusign.com or https://www.docusign.net.
  • Ensure your anti-virus software is enabled and up to date.
  • Review our whitepaper on phishing available at https://trust.docusign.com/static/downloads/Combating_Phishing_WP_05082017.pdf

Q: What additional steps is DocuSign taking to address this issue?

A: We have taken immediate action to prohibit unauthorized access to this system, we have put further security controls in place, and are working with law enforcement agencies.

Q: Is this related to the global ransomware attack of late last week?

A: No.

Update 5/16/2017 – Security Advisory Status regarding MS17-010 & WannaCrypt/WannaCry Ransomware

Recently we’ve seen increased concern and discussion around an exploit released by Shadow Brokers which was acknowledged by Microsoft on March 14th, 2017. This issue involves SMBv1 and how it handles specially crafted requests to a host impacted by this vulnerability. This exploit is also being leveraged in the WannaCrypt/WannaCry ransomware campaign which has been in the media recently. You can reference the links below for additional information around this issue:

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
https://www.us-cert.gov/ncas/alerts/TA17-132A

DocuSign takes security related vulnerabilities and issues seriously and as such, we have diligently tracked this issue through this process. MS17-010 was applied as part of our monthly vulnerability management process during the March cycle. All applicable production systems have been patched ahead of the Shadow Brokers release in mid-April. Our Digital Transaction Management platform and supporting systems are not impacted by MS17-010 or the WannaCrypt/WannaCry ransomware. Additionally, all systems are monitored for any suspicious activity.

 

Update 5/15/2017 - Latest update on malicious email campaign

Last week and again this morning, DocuSign detected an increase in phishing emails sent to some of our customers and users – and we posted alerts here on the DocuSign Trust Site and in social media. The emails “spoofed” the DocuSign brand in an attempt to trick recipients into opening an attached Word document that, when clicked, installs malicious software. As part of our process in response to phishing incidents, we confirmed that DocuSign’s core eSignature service, envelopes and customer documents remain secure. 
 
However, as part of our ongoing investigation, today we confirmed that a malicious third party had gained temporary access to a separate, non-core communication system used for service-related announcements that contained a list of email addresses. A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed; and DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.
 
We took immediate action to prohibit unauthorized access to this system, we have put further security controls in place, and are working with law enforcement agencies. Out of an abundance of caution as a trusted brand and to protect you from any further phishing attacks against your email, we’re alerting you and recommend taking the following steps to ensure the security of your email and systems:
  • Delete any emails with the subject line, “Completed: [domain name]  – Wire transfer for recipient-name Document Ready for Signature” and “Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature”. These emails are not from DocuSign. They were sent by a malicious third party and contain a link to malware spam.
  • Forward any suspicious emails related to DocuSign to spam@docusign.com, and then delete them from your computer. They may appear suspicious because you don’t recognize the sender, weren’t expecting a document to sign, contain misspellings (like “docusgn.com” without an ‘i’ or @docus.com), contain an attachment, or direct you to a link that starts with anything other than https://www.docusign.com or https://www.docusign.net.
  • Ensure your anti-virus software is enabled and up to date.
  • Review our whitepaper on phishing available at https://trust.docusign.com/static/downloads/Combating_Phishing_WP_05082017.pdf 

Your trust and the security of your transactions, documents and data are our top priority. The DocuSign eSignature system remains secure, and you and your customers may continue to transact business through DocuSign with trust and confidence. 

 

For updates and more information, please visit the DocuSign Trust Site where we will post any new information when it becomes available. If you have any questions, please email service@docusign.com or call +1-800-379-9973.

Update 5/15/2017

For more information, please review our Combating Phishing resource guide

Update 5/15/2017 - Malicious Email Campaign

DocuSign is tracking a malicious email campaign where the subject reads: Completed *company name* - Accounting Invoice *number* Document Ready for Signature;The email contains a link to a downloadable Word Document which is designed to trick the recipient into running what’s known as macro-enabled-malware. 

These emails are not associated with DocuSign. They originate from a malicious third-party using DocuSign branding in the headers and body of the email. The emails are sent from non-DocuSign-related domains including dse@docus.com. Legitimate DocuSign signing emails come from @docusign.com or @docusign.net email addresses. 

Please remember to be particularly cautious if you receive an invitation to sign or view a Document you are not expecting. If you have received a copy of the above email, DO NOT OPEN ANY ATTACHMENTS. Instead, forward the email to spam@docusign.com and then immediately delete the email from your system.

For further advice on how to recognize malicious emails and how to protect yourself you can visit our Trust Center here: https://trust.docusign.com/en-us/personal-safeguards/fraudulent-email-websites/ 

As a leader in online eSignature security and compliance, DocuSign has a zero-tolerance policy for this type of malicious email and is fully prepared to ensure minimal impact to our customers and company. As we’ve seen, this type of malicious activity is becoming more common, especially to organizations with established, trusted brands. Please note that this malicious activity has no relation to any activity DocuSign is involved.

Update 5/9/2017 - Malicious Email Campaign

DocuSign is tracking a malicious email campaign where the subject reads: "Completed: docusign.com - Wire Transfer Instructions for recipient-name Document Ready for Signature”.

The email contains a link to a downloadable Word Document which is designed to trick the recipient into running what’s known as macro-enabled-malware. 

These emails are not associated with DocuSign. They originate from a malicious third-party using DocuSign branding in the headers and body of the email. The emails are sent from non-DocuSign-related domains including dse@docusgn.com (note the missing "I"). Legitimate DocuSign signing emails come from @docusign.com or @docusign.net email addresses. 

Please remember to be particularly cautious if you receive an invitation to sign or view a Document you are not expecting. If you have received a copy of the above email, DO NOT OPEN ANY ATTACHMENTS. Instead, forward the email to spam@docusign.com and then immediately delete the email from your system.

For further advice on how to recognize malicious emails and how to protect yourself you can visit our Trust Center here: https://trust.docusign.com/en-us/personal-safeguards/fraudulent-email-websites/ 

As a leader in online eSignature security and compliance, DocuSign has a zero-tolerance policy for this type of malicious email and is fully prepared to ensure minimal impact to our customers and company. As we’ve seen, this type of malicious activity is becoming more common, especially to organizations with established, trusted brands. Please note that this malicious activity has no relation to any activity DocuSign is involved.

Update 2/27/2017 – DocuSign and Cloudflare Security Advisory Status

Recently there was an issue reported by Cloudflare that impacted their edge servers. The issue in some cases involved surpassing the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive information. Portions of this data may have been cached by search engines and therefore it’s recommended to change your passwords to any services hosted by Cloudflare.

DocuSign does not utilize Cloudflare in our Digital Transaction Management platform nor do we leverage this service for our corporate infrastructure.

For more information, please see the link below: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

Update 11/22/2016 - Malicious Email Campaign

DocuSign is tracking a malicious email campaign where the subject reads: "You have a new Encrypted Document”. The email contains a Word Doc attachment “EncryptedDoc.doc” which is designed to trick the recipient into running what’s known as macro-enabled-malware.  

These emails are not associated with DocuSign. They originate from a malicious third-party using DocuSign branding in the headers and body of the email. The emails are sent from non-DocuSign-related domains including service@docusign-document.com and service@docusign-secure.com. Legitimate DocuSign signing emails come from @docusign.com or @docusign.net email addresses. 

Please remember to be particularly cautious if you receive an invitation to sign or view a Document you are not expecting. If you have received a copy of the above email, DO NOT OPEN ANY ATTACHMENTS. Instead, forward the email to spam@docusign.com and then immediately delete the email from your system.

For further advice on how to recognize malicious emails and how to protect yourself you can visit our Trust Center here.

Update 7/19/16 – DocuSign and OpenSSL Security Advisory status CVE- 2016-2107 & CVE-2016-2108

Recently there were 2 issues identified with OpenSSL. We have identified all impacted servers and have applied the appropriate patches necessary to remediate these issues within our environment. We have also confirmed that our network perimeter infrastructure is not vulnerable to the 2 issues linked below. We will continue to monitor any new information around known issues and exploits that may have an impact to our system.

Here are links with more information around these issues:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2107 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2108 

Update 3/1/2016 - DROWN

On March 1st, a vulnerability in Secure Sockets Layer (SSL) Version 2 was announced under the name DROWN, which stands for Decrypting RSA with Obsolete and Weakened Encryption.  DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet Security.

A server is vulnerable to DROWN if:

  • It allows SSLv2 connections.  No DocuSign production servers allow SSLv2 connections.

OR

  • It's private key is used on any other server that allows SSLv2 connections, even for another protocol.  DocuSign does not reuse the same private keys across services..

Additional information about the DROWN vulnerability can be found at:

https://drownattack.com/#paper

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0800

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3197

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0703

ALERT 12/18/2015 – Juniper Networks releases notice of backdoor software discovery

On 12/18/2015, Juniper Networks released a Security Bulletin (2015-12) outlining two security issues found during an internal code review. 

These issues were reported to be found only in the ScreenOS operating system used on the SSG series of Juniper Firewalls. 

DocuSign does not have any SSG series Juniper Firewalls installed on our network.

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713

DocuSign Single Sign-On Certificate Update

DocuSign’s Single Sign-On certificate used for SAML AuthN requests and WS_Federation encryption in our NA1/NA2/EU1 production environments is about to expire. As a result, the certificate consumed by your Identity Provider (IdP) will be rolled over to a new version on 8/26/2015 at 4:00:00 PM (PDT). Please prepare to update your Identify Provider (IdP) to ensure no disruption in service – otherwise your IdP will continue to use the current certificate resulting in your SSO scenarios not processing starting on 8/26/2015 at 4:00:00 PM (PDT). Please note this action only applies to accounts in DocuSign’s Production environments: NA1 (www.docusign.net), NA2 (na2.docusign.net) and EU1 (eu1.docusign.net).

The new certificate is available for download here.

The SAML metadata containing the new SSO certificate has been posted as follows:

NA1: Link

NA2: Link

EU1: Link

Please be sure to update your IdP to use this new metadata information to ensure your SSO flows continue working seamlessly beyond the transfer date. If your IdPs are able to use two configurations then please update this configuration now. Otherwise please plan to rollover your IdP on 8/26/2015 at 4:00:00 PM (PDT).

For more information and questions, please contact DocuSign Enterprise Support.

ALERT 07/29/2015 -- Critical Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution (MS15-078)

On July 20th, an out of band security update was released by Microsoft to address a critical vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts.

DocuSign initiated incident response procedures upon learning of the vulnerability to ensure the security of the company’s servers, core systems and online properties. We have applied the appropriate patch to all systems in accordance with ourIncident Response and Vulnerability Management procedures. At this time, no further action is required.

Below is the link from Microsoft with additional details about this vulnerability: 
https://technet.microsoft.com/library/security/ms15-078

Update 7/27/15 – DocuSign and Adobe Flash status

Recently there have been a number of 0-day vulnerabilities relating to Adobe Flash. We at DocuSign do not utilize Adobe Flash within our production environment and therefore are not susceptible to the critical vulnerabilities listed below. We will continue to monitor any new information around known issues and exploits that may have an impact to our DTM platform. 

Here are links to the recent Adobe 0-day vulnerabilities:
https://helpx.adobe.com/security/products/flash-player/apsb15-14.html
https://helpx.adobe.com/security/products/flash-player/apsa15-03.html

 

Update 07/6/2015 - Customer Notification: Additional IP Addresses for DocuSign Service

Customer Notification: Additional IP Addresses for DocuSign Service

It’s DocuSign’s intention to provide the most robust and reliable service possible to enable your business transactions. We also want to proactively share information which may be of interest to our customers regarding the evolution of our service. A few of our customers have elected to explicitly allow internet addresses advertised by our service. It is important for those customers to keep up-to-date with our current IP address ranges. The following IP address ranges will be used by our service effective immediately and until further notification


Current and Continuing for North America based and demo accounts: 
209.67.98.1 through 209.67.98.63 
206.25.247.129 through 206.25.247.159 
209.46.117.161 through 209.46.117.191 
162.248.184.1 through 162.248.187.255 
54.149.21.90 

New additions for North America based and demo accounts: 
54.69.114.54 
52.25.122.31 
52.25.145.215 
52.26.192.160 
52.24.91.157 
52.27.126.9 
52.11.152.229 

Current and Continuing for European Union based accounts: 
185.81.100.1 through 185.81.103.254 

New additions for European Union based accounts: 
52.28.168.105

Should you have any questions, please don’t hesitate to contact us.

Update 7/2/2015 - DocuSign SSL/TLS Certificate Renewal

DocuSign’s SSL/TLS certificate used for NA1/NA2/EU1 production environments is set to expire. As a result, the certificate will be rolled over to a new one on 9/9/2015 at 4:00:00 PM (PDT).The new certificate will be a SHA2 (SHA256) certificate.  
 

Please note that the SSL/TLS certificate used in our Demo environment was updated to a SHA2 (SHA256) certificate on 3/26/2015. This Demo environment is available for your testing and can be used to ensure a seamless update of the production certificate scheduled for 9/9/2015. Please test your API and Connect integrations against Demo to be assured there will be no impact when the production change occurs. If you have issues with your tests in Demo please reach out.

 
The new certificate is available for download here.  
Link to Symantec’s stance on SHA2 technology: Link.  
For more information and questions, please reach out to Customer Support or your Account Manager
 

May 15th, 2015 – QEMU “VENOM” Vulnerability

The Venom vulnerability impacted the Xen platform and DocuSign has no dependencies on the Xen platform. This covers our Production and Corporate environments as well as our subsidiaries and service providers.
 
VENOM, CVE-2015-3456, is a security vulnerability in the virtual floppy drive code used by many computer virtualization platforms. This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host. Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems. 
 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456
http://venom.crowdstrike.com/
 

Critical Vulnerability in the Microsoft Windows HTTP Protocol Stack (MS15-034)
 
 
On April 14, a security patch was released by Microsoft to address a critical vulnerability in the Windows HTTP protocol stack (“HTTP.sys”) that was disclosed the same day. The vulnerability is rated Critical since it may allow remote code execution by an attacker or lead to a Denial of Service. The issue impacts all Windows HTTP services, including Internet Information Services (IIS).
 
DocuSign initiated incident response procedures upon learning of the vulnerability to ensure the security of the company’s servers, core systems and online properties. Since some of our technology stack includes Windows web servers, we reviewed all of our sites and supporting infrastructure to ensure all Windows based HTTP services were accounted for.
 
DocuSign has applied the appropriate patch to all systems in accordance with our Incident Response and Vulnerability Management procedures. At this time, no further action is required. DocuSign will continue to monitor the status of the situation and provide updates as needed.
 
Here are some additional resources and information about the vulnerability:
 
https://technet.microsoft.com/en-us/library/security/ms15-034.aspx
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1635
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635
 

Update 04/15/2015

Customer Notification: Additional IP Addresses for DocuSign Service

It’s DocuSign’s intention to provide the most robust and reliable service possible to enable your business transactions. We also want to proactively share information which may be of interest to our customers regarding the evolution of our service.   A few of our customers have elected to explicitly allow internet addresses advertised by our service.  It is important for those customers to keep up-to-date with our current IP address ranges.   The following IP address ranges will be used by our service effective April 13, 2015 and until further notification:

 
Current and Continuing for North America based and demo accounts
209.67.98.1 through 209.67.98.63
206.25.247.129 through 206.25.247.159
209.46.117.161 through 209.46.117.191
162.248.184.1 through 162.248.187.255

New addition for North America based and demo accounts

54.149.21.90

These IP address ranges apply to all of our North American environments: www, NA2, and demo.

These IP address ranges will also apply to our EU1 environment until May 15th 2015

 

New and Incremental for European Union based accounts
185.81.100.1 through 185.81.103.254
This IP address range applies to our EU environment immediately, and our EU1 endpoint after May 15th 2015.

Should you have any questions, please don’t hesitate to contact us.

Update 03/18/2015 - FREAK

On March 3rd, a vulnerability in some Secure Sockets Layer (SSL) and Transport Layer Security (TLS) servers and clients was announced under the name FREAK, which stands for Factoring RSA Export Keys.  Exploitation of the vulnerability requires a man-in-the-middle (MiTM) attack with a vulnerable client or web browser and a target server that still supports the deliberately weakened EXPORT ciphers.

DocuSign does not support EXPORT ciphers on our TLS servers and our systems were not impacted by the vulnerability.

As with all man-in-the-middle vulnerabilities, DocuSign recommends that users always use caution when accessing secure sites over public networks, heed browser security and certificate warnings, and keep their browser up to date with the most secure configuration and software patches.

Here are some additional resources and information about the vulnerability.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204

https://www.us-cert.gov/ncas/current-activity/2015/03/06/FREAK-SSLTLS-Vulnerability

http://www.kb.cert.org/vuls/id/243585

https://www.smacktls.com/#freak

http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html

Update 02/23/2015

Customer Notification: Additional IP Addresses for DocuSign Service

It’s DocuSign’s intention to provide the most robust and reliable service possible to enable your business transactions. We also want to proactively share information which may be of interest to our customers regarding the evolution of our service.   A few of our customers have elected to explicitly allow internet addresses advertised by our service.  It is important for those customers to keep up-to-date with our current IP address ranges.   The following IP address ranges will be used by our service effective March 10, 2015 and until further notification:

 
Current and Continuing for North America based and demo accounts
209.67.98.1 through 209.67.98.63
206.25.247.129 through 206.25.247.159
209.46.117.161 through 209.46.117.191
162.248.184.1 through 162.248.187.255
These IP address ranges apply to all of our North American environments: www, NA2, and demo.
These IP address ranges will also apply to our EU1 environment until May 15th 2015

 

New and Incremental for European Union based accounts
185.81.100.1 through 185.81.103.254
This IP address range applies to our EU environment immediately, and our EU1 endpoint after May 15th 2015.

Should you have any questions, please don’t hesitate to contact us.

Update 2/13/2015 - Poodle

On October 14th, a vulnerability in Secure Sockets Layer (SSL) Version 3 was announced under the name Poodle, which stands for Padding Oracle on Downgraded Legacy Encryption.  In December, another version of the Poodle bug was also announced that affected certain versions of Transport Layer Security (TLS).  These vulnerabilities impact the way clients and servers secure their communications over a network and can expose information that was previously protected.  These vulnerabilities, CVE-2014-3566 and CVE-2014-8730, have been rated as medium by the National Vulnerability Database.

At the time of the original vulnerability announcement, DocuSign's servers were already configured to prefer versions of TLS and to accept SSLv3 as a last resort. Upon learning of the issue, we performed a traffic study to understand the impacts of disabling SSLv3 support altogether and to ensure the continued availability of our service for all customers.  We worked closely with our vendors to test and deploy patches as they were released.  We also implemented new configuration options in partnership with our customers to secure the services that connect to their systems.  

As of today, DocuSign is happy to report that our TLS services are not vulnerable to CVE-2014-8730.  DocuSign is also in the process of a phased disabling of SSLv3 to further prevent Poodle. We began our transition off of the protocol starting with our outbound services in January.  We plan to continue the disabling of SSLv3 starting with our DocuSign Demo site on February 23rd, and conclude with our Production site on March 23rd.  Once the disabling of SSLv3 is completed on our core platform, customers using legacy browsers or unique configurations may not be able to connect to our web servers.  Please be aware of these important dates and ensure that all browsers and clients have been updated to recent versions in order to support the change. 

Here are some additional resources and information about these vulnerabilities.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8730

https://www.us-cert.gov/ncas/alerts/TA14-290A

https://www.us-cert.gov/ncas/current-activity/2014/12/09/Certain-TLS-Implementations-Vulnerable-POODLE-Attacks

https://www.openssl.org/~bodo/ssl-poodle.pdf