Deutsch | English
This blog does not contain official statements of CERT.at, only personal opinions of the individual contributors.

DROWN update

2016/04/11

As I wrote in our initial DROWN blogpost, we're scanning .at for mail- and web-servers which are still supporting SSLv2. We're notifying our constituency and we see a steady drop in the number of servers (as measured by IP-Addresses) that are vulnerable:

drown-status-in-dotat

So it is slowly getting better.

Looking at the feedback we receive there is one point though that needs extra attention: Disabling all SSLv2 ciphers might not be enough. You need to disable the SSLv2 protocol.

See this FAQ from the DROWN website:

DROWN is made worse by two additional OpenSSL implementation vulnerabilities. CVE-2015-3197, which affected OpenSSL versions prior to 1.0.2f and 1.0.1r, allows a DROWN attacker to connect to the server with disabled SSLv2 ciphersuites, provided that support for SSLv2 itself is enabled. CVE-2016-0703, which affected OpenSSL versions prior to 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf, greatly reduces the time and cost of carrying out the DROWN attack.

We will thus continue to send warnings as long as SSLv2 is not completely disabled. For the typical Linux setup, this openssl.org post contains suitable configuration advise.

Author: Otmar Lendl

Email: reports@cert.at
Phone: +43 1 5056416 78
more ...
Heartbleed: (Almost) three years later
2017/01/27 | Shodan recently ...
DROWN update
2016/04/11 | As I wrote ...
more ...
Last Change: 2016/4/11 - 11:36:02
Haftungsausschluss