DROWN Vulnerability

DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) is a serious vulnerability that affects HTTPS and other secure servers that rely on SSL and TLS. DROWN allows attackers to break the encryption and read or steal sensitive communications, such as passwords and credit card numbers. It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key. By capturing the key from the SSLv2-using server, communication with the TLS-using server is compromised.

Severity

High

CVE Number

CVE-2016-0800

What is affected?

OpenSSL, Web servers, SMTP servers, IMAP and POP servers, and any other software, Linux or Windows, that supports SSL/TLS.

How to check if my site is vulnerable?

https://drownattack.com/#check

Please note that the vulnerability checker will not reflect the updated status after the vulnerability has been remediated.

You can also use the following link to check if your site is supporting SSLv2:
https://www.ssllabs.com/ssltest

How to remediate?

If you have any servers (HTTPS, SMTPS, POP3S, IMAPS, etc.) that are configured to allow SSLv2 connections, disable SSLv2 support on that server.

If you do not have servers configured to allow SSLv2 connections, apply the latest security patch for CVE-2016-0800.

Details

https://drownattack.com

Useful links