How to Resist DROWN Attack in Servers – Fix SSL vulnerability for LANE (Linux, Apache, Nginx) and Servers serve SSL

SSL DROWN ATTACK Fix - Proudly By DigitalOcean.Name

The DROWN attack is a cross-protocol security bug that attacks servers supporting modern TLS protocol suites by using their support for the obsolete, insecure, SSL v2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure.
A new SSL vulnerability called DROWN (Decrypting RSA with Obsolete and Weakened Encryption) was disclosed by security researchers. This vulnerability (aka CVE-2016-0800) allows attackers to decrypt even strong TLS v.1.2 connections, if the server supports the obsolete SSL v.2 protocol is revealed in March 1, 2016. 

As reports filter in, it is known that even large websites such as Yahoo, Samsung, Alibaba, etc. are affected by this vulnerability.

Your server might be affected if you have NOT EXPLICITLY DISABLED SSLv2.

SO, Are You Vulnerable? Find Out Now

we are using an SSL scanning tool called SSLyze to check if SSL v.2 ciphers are supported. We use this tool because we’ve seen that other ways of verifying weak ciphers (like openssl client connect, nmap, etc.) may not be 100% accurate.

Open Your SSH and write the following

 
dovpd # sslyze_cli.py –sslv2 #server_IP

It’ll Return

 
SCAN RESULTS FOR #server_IP 
—————————————————— *
Rejected:
TLS_RSA_WITH_NULL_MD5 TCP / Received RST
SSL_CK_RC4_64_WITH_MD5 TCP / Received RST
SSL_CK_RC4_128_WITH_MD5 TCP / Received RST
SSL_CK_RC4_128_EXPORT40_WITH_MD5 TCP / Received RST
SSL_CK_RC2_128_CBC_WITH_MD5 TCP / Received RST
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 TCP / Received RST
SSL_CK_IDEA_128_CBC_WITH_MD5 TCP / Received RST
SSL_CK_DES_64_CBC_WITH_MD5 TCP / Received RST
SSL_CK_DES_192_EDE3_CBC_WITH_MD5 TCP / Received RST

This means, all SSLv2 requests were rejected.

But, if your server is vulnerable, something like the following will be shown:

 
SCAN RESULTS FOR #Server_IP
--------------------------------------------------
* SSLV2 Cipher Suites:
Preferred:
SSL_CK_RC2_128_CBC_WITH_MD5 - 128 bits
Accepted:
SSL_CK_RC4_128_WITH_MD5 - 128 bits
SSL_CK_RC2_128_CBC_WITH_MD5 - 128 bits
SSL_CK_DES_192_EDE3_CBC_WITH_MD5 - 112 bits
SSL_CK_DES_64_CBC_WITH_MD5 - 56 bits
SSL_CK_RC4_128_EXPORT40_WITH_MD5 - 40 bits
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 - 40 bits

This command command checks if SSLv2 is enabled in port 443.

In the servers we maintain, the same was repeated on all ports, such as 465 (SSL-SMTP), 993 (SSL-IMAP), 995(SSL-POP3), etc. A server is vulnerable to DROWN if ANY port in the server has SSLv2 available.

Leave a Reply

Your email address will not be published. Required fields are marked *