DROWN - Security vulnerability exploiting the SSLv2 protocol

DROWN is a recently published MitM (Man in the Middle) attack using principles similar to the Bleichenbacher attack (discovered in 1998) and targeting SSL/TLS based protocols. It allows the attacker to break the server encryption and therefore to intercept all client-server communication using the enabled SSLv2 support on the server.

Who is impacted?

This concerns any server allowing SSLv2 use, including servers whose vulnerables ciphers are disabled. It concerns every protocol using SSL/TLS for encryption. Exploiting this vulnerability allows access to the private key, so a correctly configured server re-using a key installed on a vulnerable server would also be accessible.

Besides, openssl versions inferior to 1.0.1f and 1.0.2g are especially vulnerable due to a bug allowing the use of disabled vulnerable ciphers with the DROWN attack. This would allow the exploitation of the vulnerability in minutes using consumer-grade hardware.

How to defend against the DROWN attack?

The only solution is to disable the SSLv2 protocol.

For Openssl users, a migration toward versions equal or superior to 1.0.1f or 1.0.2g is strongly advised.

Useful ressources

• Poodle : a vulnerability affecting SSLv3 protocol
• Disable SSLv2 and SSLv3 under IIS
• Disable SSLv2 and SSLv3 under IIS8.5
• Disable SSLv2 and SSLv3 under Apache
• Disable SSLv2 and SSLv3 under Tomcat
• Install a certificate on Nginx (contains the SSL2 disabling procedure)
• Test your sites with CoPiBot

• Documentation website on the attack
• Official DROWN attack publication
• Openssl Vulnerability