This advisory is provided as a courtesy.
We would like to bring to your attention a newly discovered SSL/TLS security bug called DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) Attack, which can allow attacker to decrypt intercepted TLS connections by making specially crafted connections to an SSLv2 server that uses the same private key.
If you are running HTTPS / SSL websites on your servelet/server, we strongly recommend you to check if your SSL web server is vulnerable to the DROWN attack. The security bug has been assigned bug-ID CVE-2016-0800.
Impact
If you are running a vulnerable HTTPS / SSL websites with SSLv2 protocol enabled, or if you are using SSL/TLS-enabled applications such as POP/IMAP mail server with SSLv2 protocol enabled, your server will be at risk of being hacked and attackers will be able to use vulnerability to steal sensitive information.
Affected Server
Any TLS/SSL server which supports the vulnerable SSLv2 protocol.
Check if Affected
You can use this tool to check if your SSL web server is vulnerable to the DROWN attack. Key in the hostname or IP address and then click on "Check".
How to Fix the Problem
If you are running Linux systems such as Ubuntu, CentOS or Debian, ensure that you are using the latest version of OpenSSL provided by the respective distro's repository. You can do so by installing the latest patches for your operating systems.
On Ubuntu/Debian systems:
sudo apt-get update
sudo apt-get dist-upgrade
and then reboot the system.
On CentOS systems:
yum update
and then reboot the system.
If you are running Apache or nginx web server, please ensure that SSLv2 protocol is disabled. Same applies if you are running TLS/SSL on any other Internet-facing applications, such as mail (POP and IMAP) servers.
On Windows systems, if you are using IIS 7 or newer, SSLv2 protocol is disabled by default. However, if you manually enable SSLv2 protocol, please disable it back. If you are using earlier version of IIS, please upgrade to IIS 7 or higher.
More information
The Drown Attack
Preventing the Drown Attack
Drown Attack On TLS - Everything You Need To Know
Request Assistance
If needed, we can perform the patch installation for you at a one-time discounted fee of $25. Please submit your order at Order -> Additional Services -> Vulnerability Fix: Bash Bug/Shellshock, Windows SCHANNEL, GHOST glibc, FREAK attack, DROWN attack - $25
Or please first open a support ticket and give us the hostname, IP address and OS template. You can find this information on your servelet's control panel.
For example:
Hostname: test-dd
IP Address: 103.25.202.81
OS Template: CentOS 6.5 (64-bit) 20140123a
Thank you.
SimplerCloud Support Team