DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) is a serious vulnerability that affects HTTPS and other secure servers that rely on SSL and TLS. DROWN allows attackers to break the encryption and read or steal sensitive communications, such as passwords and credit card numbers. It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key. By capturing the key from the SSLv2-using server, communication with the TLS-using server is compromised.
Severity
High
CVE Number
CVE-2016-0800
What is affected?
OpenSSL, Web servers, SMTP servers, IMAP and POP servers, and any other software, Linux or Windows, that supports SSL/TLS.
How to check if my site is vulnerable?
https://drownattack.com/#check
Please note that the vulnerability checker will not reflect the updated status after the vulnerability has been remediated.
You can also use the following link to check if your site is supporting SSLv2:
https://www.ssllabs.com/ssltest
How to remediate?
If you have any servers (HTTPS, SMTPS, POP3S, IMAPS, etc.) that are configured to allow SSLv2 connections, disable SSLv2 support on that server.
If you do not have servers configured to allow SSLv2 connections, apply the latest security patch for CVE-2016-0800.
Details
Useful links
- https://www.openssl.org/news/secadv/20160301.txt
- https://access.redhat.com/security/cve/cve-2016-0800
- https://security-tracker.debian.org/tracker/CVE-2016-0800
- https://www.suse.com/security/cve/CVE-2016-0800.html
- https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol
- https://www.us-cert.gov/ncas/current-activity/2016/03/01/OpenSSL-Releases-Security-Advisory
- https://mozilla.github.io/server-side-tls/ssl-config-generator/
- https://bettercrypto.org/
- https://blog.qualys.com/securitylabs/2016/03/01/drown-abuses-ssl-v2-to-attack-rsa-keys-and-tls