How to patch DROWN Vulnerability?

What does DROWN stand for?

DROWN stands for Decrypting RSA with Obsolete and Weakened eNcryption.

What Exactly is DROWN?

According to Red Hat “A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker can potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN(drown).
Read More: CVE-2016-0800

 

The Image show below is an example for DROWN attack:

Mitigate DROWN CVE-2016-0800
                                                                         How DROWN vulnerability works

How can i check if im affected by DROWN vulnerability?
Just go to drownattack.com and test your domain.

The Poodle era didnt end and we are now introduced to a new attack “DROWN”. Earlier we had to disable SSLv3 because of Poodle Vulnerability  CVE-2014-3566

The Patch:

Just disable SSLv2 if there is no use of it. Below is an elaborated patch methods for diffrent services.

How do I protect my server?

To protect against DROWN, server operators need to ensure that their private keys are not used anywhere with server software that allows SSLv2 connections. This includes web servers, SMTP servers, IMAP and POP servers, and any other software that supports SSL/TLS. You can use the form above to check whether your server appears to be exposed to the attack.

Disabling SSLv2 can be complicated and depends on the specific server software. We provide instructions here for several common products:

OpenSSL: OpenSSL is a cryptographic library used in many server products. For users of OpenSSL, the easiest and recommended solution is to upgrade to a recent OpenSSL version. OpenSSL 1.0.2 users should upgrade to 1.0.2g. OpenSSL 1.0.1 users should upgrade to 1.0.1s. Users of older OpenSSL versions should upgrade to either one of these versions. More details can be found in this OpenSSL blog post.

Microsoft IIS (Windows Server): IIS versions 7.0 and above should have SSLv2 disabled by default. (A small number of users may have enabled SSLv2 manually and will need to take steps to disable it.) We still recommend checking whether your private key is exposed elsewhere, using the form above. IIS versions below 7.0 are no longer supported by Microsoft and should be upgraded to supported versions.

Network Security Services (NSS): NSS is a common cryptographic library built into many server products. NSS versions 3.13 (released back in 2012) and above should have SSLv2 disabled by default. (A small number of users may have enabled SSLv2 manually and will need to take steps to disable it.) Users of older versions should upgrade to a more recent version. We still recommend checking whether your private key is exposed elsewhere, using the form above.

Other affected software and operating systems:
Instructions for: Apache, Postfix, Nginx

Browsers and other clients: There is nothing practical that web browsers or other client software can do to prevent DROWN. Only server operators are able to take action to protect against the attack.

Thanks For drownattack.com Giving a detailed description on this vulnerability.

Huge Shoutout for the Team that found DROWN vulnerability. 
Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger,Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman,Viktor Dukhovni, Emilia Käsper, Shaanan Cohney, Susanne Engels, Christof Paar, andYuval Shavitt .

Leave a Reply

Your email address will not be published. Required fields are marked *