DROWN (Decrypting RSA with Obsolete and Weakened encryption) is an attack on the old SSL v2 protocol version. Read here how you can prevent SSL DROWN.
CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
DROWN Vulnerability Information
The DROWN attack was officially announced by a group of security researchers in March 2016 and was assigned CVE-2016-0800. The full technical description of the attack is available in the DROWN: Breaking TLS using SSLv2 paper.
DROWN uses several different tactics to achieve its goal. On the one hand, it is a cross-protocol attack which means that part of its strategy is to use differences in protocols to exploit a particular vulnerability present in the SSLv2 protocol.
It is also a Bleichenbacher padding oracle attack (i.e., a ciphertext attack). Once the attacker has exploited the cross-protocol vulnerability, they send thousands of modified handshake messages to the server and monitor its responses. Due to the server’s responses when using an RSA key exchange under SSLv2, the attacker can slowly begin to gather pieces of the server’s session key, eventually revealing them entirely. As a result, all servers are at risk, including websites and mail servers.
There are two main types of DROWN attack – a general DROWN attack and a special DROWN attack.
The general DROWN uses the RSA encryption of the master secret in SSLv2, whereas the special DROWN uses an OpenSSL vulnerability in its implementation of SSLv2. As a result, the last attack is significantly more accessible, cheaper, and faster to execute.
Prevention of the DROWN Vulnerability
To prevent being exposed to a DROWN attack, server operators must make sure that their server does not support the use of SSLv2 cipher suites. They must also ensure that the server’s private keys are not used anywhere else, such as in web servers, email servers such as SMTP, IMAP or POP servers, etc., and server software that support SSLv2 connections.
To learn more about preventing DROWN and other similar security vulnerabilities, refer to the guide on securing TLS Configuration.
To prevent DROWN, do not use the deprecated SSL v2 protocol version. Therefore refer to