Showing posts with label SSLv2. Show all posts
Showing posts with label SSLv2. Show all posts

Tuesday, May 17, 2016

DROWN Attack Vulnerability

Brief Explanation and solution for Drown vulnerability




DROWN Vulnerability CVE-2016-0800 [1st Mar 2016]

Description:
 DROWN (Decrypting RSA with Obsolete and Weakened eNcryption)  is a vulnerability that affects services that rely on SSL and TLS. The attack exploits a flaw in SSLv2 that allows the attacker to decrypt communications that use SSL or TLS. DROWN is a cross-protocol attack that can decrypt passively collected TLS sessions from up-to-date clients. Unlike other SSL vulnerabilities, DROWN only requires that SSLv2 be enabled on the attacked system and not that SSLv2 be used for communications.

Servers are vulnerable to DROWN if they allow SSLv2 connections, which can be enabled due to misconfiguration or overlooked default settings. Servers can also be vulnerable if they use a private key that is used by any other server that has SSLv2 enabled. Since certificates are commonly reused, a single system with SSLv2 enabled can expose other servers to the same risk


Recommendations

  • Disable support for SSLv2 and EXPORT ciphers on all services using SSL. In addition to websites supporting HTTPS, mail servers are commonly affected.
  • Servers using OpenSSL should be upgraded to 1.0.2g or 1.0.1s, which disables SSLv2 and the export cipher suites by default.
  • Ensure that your server’s private keys are not used on any other server supporting SSLv2.