• Your cart is empty
  •  

SimplerCloud Pte Ltd

×
×

News: Security Advisory: DROWN Attack SSL/TLS Vulnerability

Published: 04/03/2016 Back

This advisory is provided as a courtesy.

We would like to bring to your attention a newly discovered SSL/TLS security bug called DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) Attack, which can allow attacker to decrypt intercepted TLS connections by making specially crafted connections to an SSLv2 server that uses the same private key.


If you are running HTTPS / SSL websites on your servelet/server, we strongly recommend you to check if your SSL web server is vulnerable to the DROWN attack. The security bug has been assigned bug-ID CVE-2016-0800.

Impact

If you are running a vulnerable HTTPS / SSL websites with SSLv2 protocol enabled, or if you are using SSL/TLS-enabled applications such as POP/IMAP mail server with SSLv2 protocol enabled, your server will be at risk of being hacked and attackers will be able to use vulnerability to steal sensitive information.

Affected Server

Any TLS/SSL server which supports the vulnerable SSLv2 protocol.

Check if Affected

You can use this tool to check if your SSL web server is vulnerable to the DROWN attack. Key in the hostname or IP address and then click on "Check".


How to Fix the Problem


If you are running Linux systems such as Ubuntu, CentOS or Debian, ensure that you are using the latest version of OpenSSL provided by the respective distro's repository. You can do so by installing the latest patches for your operating systems.


On Ubuntu/Debian systems:

sudo apt-get update
sudo apt-get dist-upgrade

and then reboot the system.

On CentOS systems:

yum update

and then reboot the system.


If you are running Apache or nginx web server, please ensure that SSLv2 protocol is disabled. Same applies if you are running TLS/SSL on any other Internet-facing applications, such as mail (POP and IMAP) servers.


On Windows systems, if you are using IIS 7 or newer, SSLv2 protocol is disabled by default. However, if you manually enable SSLv2 protocol, please disable it back. If you are using earlier version of IIS, please upgrade to IIS 7 or higher.


More information


The Drown Attack
Preventing the Drown Attack
Drown Attack On TLS - Everything You Need To Know


Request Assistance

If needed, we can perform the patch installation for you at a one-time discounted fee of $25. Please submit your order at Order -> Additional Services -> Vulnerability Fix: Bash Bug/Shellshock, Windows SCHANNEL, GHOST glibc, FREAK attack, DROWN attack - $25

Or please first open a support ticket and give us the hostname, IP address and OS template. You can find this information on your servelet's control panel.

For example:

Hostname: test-dd
IP Address: 103.25.202.81
OS Template: CentOS 6.5 (64-bit) 20140123a

Thank you.

SimplerCloud Support Team