Here’s a latest vulnerability called DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) that aims to attack servers using weak SSL version 2.0 (SSLv2) protocol for HTTPs, SMTP, IMAP, POP etc…Basically any service that uses SSL/TLS is subject to be vulnerable over SSLv2 . DROWN allows an attacker to decrypt communication (by obtaining the private key) encrypted using RSA based SSL certificate, if enough SSLv2 handshake data can be collected. The DROWN can directly affect servers using weak SSLv2 protocol, however, it requires approximately 1000 SSL handshakes to be intercepted.
How to test your server against DROWN vulnerability?
Quickly jump to this link to test your server against DROWN vulnerability attack.
Here’s a web interface, where you can type in your website address and click “Check for DROWN vulnerability” button.
How to Fix DROWN vulnerability in Apache and Nginx web servers?
In Apache:
$ sudo vim /etc/httpd/conf/httpd.conf
(or)
$ sudo vim /etc/httpd/conf.d/ssl.conf
and add -SSLv2 and -SSLv3 as shown below:
SSLProtocol all -SSLv2 -SSLv3
Note: The above setting recommends to disable both SSLv2 and SSLv3. Although SSLv3 is not vulnerable to DROWN attack, it’s highly recommended to disable SSLv3 as it’s vulnerable to other kinds of attack.
Restart the web server:
$ sudo /etc/init.d/httpd restart
In Nginx:
$ sudo vim /etc/nginx/nginx.conf
Lookout for the below line:
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
and remove SSLv2 and SSLv3 as shown below:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Restart the Nginx service.
How to Fix DOWN vulnerability in SMTP – Postfix?
$ sudo vim /etc/postfix/master.cf
and set the following lines. Here, the (!) removes SSLv2 and SSLv3 protocols.
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 smtp_tls_mandatory_protocols=!SSLv2,!SSLv3 smtpd_tls_protocols=!SSLv2,!SSLv3 smtp_tls_protocols=!SSLv2,!SSLv3
Note: Remember to do this change in every service that uses SSL.
Also update OpenSSL to the latest version:
# yum update openssl*
