Drown Attack: Vulnerability in SSLv2 and TLS affects HTTPS

  • Wednesday 2nd March 2016
  • Posted in News
  • No Comments

Drown (RSA decrypting With Obsolete and Weakened encryption) is a serious vulnerability that affects HTTPS and other services that depend on SSLv2 and TLS protocols.

Drown, identified as CVE-2016-0800, allows attackers to break the encryption, read and steal sensitive communications, including passwords, credit card numbers, trade secrets or financial information. Drown allows an attacker to decrypt TLS connections, by using a server that supports SSLv2 cipher suites and category EXPORT, intercepted by connections created specifically to a SSLv2 server that uses the same private key.

According to the current measurements, 33% of all HTTPS servers are vulnerable to this new attack. Drown worse if the server also has two additional OpenSSL vulnerabilities: CVE-2015-3197, which affects versions of OpenSSL before 1.0.2f and 1.0.1r and, CVE-2016-0703, which affects earlier versions of OpenSSL to 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf. These two vulnerabilities significantly reduce the time and cost of carrying out the Drown attack. By the discovery, researchers have been able to execute the attack in less than a minute using a single computer. Even for servers that do not have these particular errors, a general variant of the attack, which works against any SSLv2 server, can be performed in less than 8 hours. There are currently about 11.5 million vulnerable websites and administrators of these servers must take immediate action. Customers cannot and should not do anything. The modern servers use encryption protocol TLS but due to misconfigurations, many servers could still support SSLv2, a protocol of 1995 and that current customers no longer use.

Although SSLv2 is known to be very insecure, so far it did not care and was not considered a security problem because customers never use them. Now, Drown shows that it only provide support SSLv2 which is a threat for clients and servers because it allows an attacker to decrypt TLS connections sending “evidence” through the SSLv2 protocol and using the same private key.


In technical terms, Drown attack is a variant of cross-platform Bleichenbacher Padding Oracle potentially allowing intercept and decrypt TLS connections creating a specially crafted SSLv2 server that uses the same private key connections. This type of attack uses bugs in the implementation of a protocol (SSLv2 in this case) to attack the security of connections made under a totally different protocol (TLS). More specifically, Drown is based on the observation that SSLv2 and TLS support the RSA protocol, while TLS protects against certain well – known attacks, export SSLv2 suites do not.

A server is vulnerable to Drown if:

  • It allows SSLv2 connections. This is surprisingly common, due to misconfiguration. Measurements show that 17% of the HTTPS servers still allow such connections SSLv2.
  • The private key is used in any other server that allows SSLv2 connections, even for another protocol. Many companies reuse the same certificate and key in their web and email servers, for example. In this case, if the mail server supports SSLv2 and although the web server does not do so, an attacker can take advantage of the mail service to break TLS connections from the web server. This endangers 33% of the HTTPS servers.
  • The Drown website has a form to check if the web server is vulnerable. The control is based on correlated data for February 2016 and is not automatically updated with servers that have already disabled SSLv2.

To protect against Drown, managers must ensure that their private keys are not reused in any other type of server that allows SSLv2 connections. This includes web servers, SMTP servers, IMAP and POP and any other software that supports SSL / TLS. You can use the above form to check if the server seems to be exposed to attack. Disabling SSLv2 can be complicated and depends on the specific server software.

Instructions for several common products:

OpenSSL: The easiest and recommended solution is to upgrade to a newer version of OpenSSL. OpenSSL 1.0.2 should be updated to 1.0.2g and 1.0.1 should upgrade to OpenSSL 1.0.1s. Older versions should upgrade to one of these versions. OpenSSL has released the update that disables SSLv2 by default and eliminates support for SSLv2 EXPORT, following the RFC 6176.

OpenSSL has already patched and others like Canonical, Red Hat and SUSE publish updates in the coming hours. Fedora is not vulnerable because it has been disabled since 2014. SSLv2 has released OpenSSL 1.0.2g and 1.0.1s versions.

Microsoft IIS (Windows Server): IIS 7.0, SSLv2 is disabled by default and if you have manually activated should be disabled. Earlier versions are not supported by Microsoft and should be updated.

Network Security Services (NSS): NSS is a cryptographic library built into many server products. NSS 3.13 (2012) has SSLv2 disabled by default. Those who have activated it manually should disable it. Users of earlier versions should update. It is also recommended to check if the private key is exposed to another type of server.

Instructions for Apache , Postfix , Nginx

Drown has published the [PDF]: Breaking SSLv2 using TLS which includes all the technical details of the vulnerability and a FAQ with the most frequently asked questions. Matthew Green, a professor at Johns Hopkins University, published a post explaining how Drown works, similarly Ivan Ristic , Director of SSL Labs.

Source: Drown

CRG Soft

CRG Soft is a leading Web Solution company with expertise in Hosting Solutions. We are popular among our Clients for Best VPS, Dedicated and Email Hosting Services

Leave a Reply

Your email address will not be published. Required fields are marked *

Contact Us

Get in touch with us. we are here to help you


Patil Lane , College Road,
Nashik - 422005.
Phone : +91.9028888645