Brief Explanation and solution for Drown vulnerability
DROWN Vulnerability CVE-2016-0800 [1st Mar 2016]
Description:
DROWN (Decrypting RSA
with Obsolete and Weakened eNcryption) is a vulnerability that affects
services that rely on SSL and TLS. The attack exploits a flaw in SSLv2 that
allows the attacker to decrypt communications that use SSL or TLS. DROWN is a cross-protocol
attack that can decrypt passively collected TLS sessions from up-to-date
clients. Unlike other SSL vulnerabilities, DROWN only requires that SSLv2 be
enabled on the attacked system and not that SSLv2 be used for communications.
Servers are vulnerable to DROWN if they allow SSLv2 connections,
which can be enabled due to misconfiguration or overlooked default settings.
Servers can also be vulnerable if they use a private key that is used by any
other server that has SSLv2 enabled. Since certificates are commonly reused, a
single system with SSLv2 enabled can expose other servers to the same risk
Recommendations
- Disable support for SSLv2 and
EXPORT ciphers on all services using SSL. In addition to websites
supporting HTTPS, mail servers are commonly affected.
- Servers using OpenSSL should be
upgraded to 1.0.2g or 1.0.1s, which disables SSLv2 and the export
cipher suites by default.
- Ensure that your server’s
private keys are not used on any other server supporting SSLv2.
