Critical OpenSSL vulnerabilities - DROWN CVE-2016-0800

Posted:  May 14th, 2017

 

Description:

 

DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS. This vulnerability allows attackers to break the encryption and read or steal sensitive communications.

 

Who is vulnerable?:

 

A server is vulnerable to DROWN if:

 

    > It allows SSLv2 connections.

 

    > Its private key is used on any other server that allows SSLv2 connections, even for another protocol.

 

Other less critical OpenSSL vulnerabilities have been discovered and are explained here:

 

https://www.openssl.org/news/secadv/20160301.txt

 

Specific to Operating System:

 

Please make sure to verify if a patched version of OpenSSL has been released for your Operating System version before updating it:

 

Red Hat and CentOS

https://access.redhat.com/security/vulnerabilities/drown

 

Debian

https://security-tracker.debian.org/tracker/CVE-2016-0800

https://www.debian.org/security/2016/dsa-3500

 

Ubuntu:

http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0800.html

While Ubuntu is not afftected by CVE-2016-0800, it is affected by CVE-2016-0702, CVE-2016-0705, CVE-2016-0797, CVE-2016-0798, CVE-2016-0799 and the OpenSSL package should be updated:

http://www.ubuntu.com/usn/usn-2914-1/

 

Windows server Microsoft IIS

IIS versions 7.0 and above should have SSLv2 disabled by default. IIS versions below 7.0 are no longer supported by Microsoft and should be upgraded to supported versions.

 

Resolution:

 

On CentOS and Red Hat Enterprise Linux

 

Run:

 

        yum clean all

 

        yum update openssl

 

        reboot

 

 

On Ubuntu and Debian

 

Run:

 

        sudo apt-get update

 

        sudo apt-get install openssl

 

        reboot

 

We suggest that you subscribe to your OS notification system at the following URLs:

 

Red Hat - RHSA-announce (http://www.redhat.com/mailman/listinfo/rhsa-announce)

CentOS - CentOS-announce (https://lists.centos.org/mailman/listinfo/centos-announce)

Ubuntu - ubuntu-security-announce (https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce)

Debian - debian-security-announce (https://lists.debian.org/debian-security-announce/)

 

References:

https://drownattack.com/

https://www.openssl.org/news/secadv/20160301.txt

https://access.redhat.com/security/vulnerabilities/drown

https://access.redhat.com/labs/drown/

https://security-tracker.debian.org/tracker/CVE-2016-0800

https://www.debian.org/security/2016/dsa-3500

http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0800.html

http://www.ubuntu.com/usn/usn-2914-1/