The Drown Attack – CVE-2016-0800

March 1, 2016 — Leave a comment

Today, a co-worker alerted me to the ‘drown attack’. DROWN is an acronym for “Decrypting RSA with Obsolete and Weakened eNcryption”. While it’s a spin on an older vulnerability, it also builds upon it. This has been declared CVE-2016-0800.

According to their site, even if your web server has SSLv2 disabled, if you’re using that same private key on your mail server and have SSLv2 enabled there, then your web server is vulnerable also. ie: As long as one server housing your private key accepts SSLv2, then all other servers are vulnerable.

The attack exploits a weakness in the SSLv2 protocol – which shouldn’t be enabled on your servers anyway.. its like saying “A criminal broke into my house – my door was shut but not locked“.


How to make sure you’re safe


The main issue is that if you’re using your private key on ANY server with SSLv2 enabled, then you’re vulnerable on EVERY server you are using it on, so make sure you aren’t supporting SSLv2 on ANY server that your private key resides on until you patch openssl on your servers.


Testing your server(s) for SSLv2:


You can use a web based tool such as SSLLabs or you can test via command line like:

It should give you something similar to:

While you’re at it, you may as well ensure that sslv3 is disabled on your servers as well to thwart the POODLE vulnerability from just over a year ago. Simply replace ‘ssl2’ with ‘ssl3’ in the above command.


Updated OpenSSL package


openssl is affected on RHEL/CentOS 5, 6, 7. There is a patch for openssl which will be available later today as mentioned on Red Hat’s Errata site.

You can update your version of openssl by typing the following command:

The following versions patch DROWN:

RHEL/CentOS 5

RHEL/CentOS 6

RHEL/CentOS 7


More info
https://lists.centos.org/pipermail/centos-announce/2016-March/thread.html
https://access.redhat.com/security/vulnerabilities/drown
https://rhn.redhat.com/errata/RHSA-2016-0301.html
https://lwn.net/Alerts/678124/
https://access.redhat.com/security/cve/cve-2016-0800




No Comments

Be the first to start the conversation.

Leave a Reply