OpenSSL Secured Websites at Risk of New DROWN Attack

OpenSSL Secured Websites at Risk of New DROWN Attack


A new cross protocol attack has been discovered that allows attacks on TLS Transport Layer Security using SSLv2. This attack will also be inclusive to any services that could rely on SSL and TLS such as HTTPS. DROWN displays that even merely supporting SSLv2 can make your server vulnerable to attack. Only server operators are able to mitigate this attack, clients and browsers are not.

Additional Information can be found at


  • Disable any server software that allows SSLv2 connections.
  • OpenSSL version 1.0.2 or below users should upgrade to 1.0.2g
  • OpenSSL version 1.0.1 or below users should upgrade to 1.0.1s

Indicators of Compromise

Protocols Affected
  • 443 (HTTPS)
  • 25 (SMTP with STARTTLS)
  • 110 (POP3 with STARTTLS)
  • 143 (IMAP with STARTTLS)
  • 465 (SMTPS)
  • 587 (SMTP with STARTTLS)
  • 993 (IMAPS)
  • 995 (POP3S)
Systems Affected
  • All Systems that support SSLv2
Vulnerable Versions
  • OpenSSL 1.0.2 and below
  • OpenSSL 1.01 and below


We use cookies to improve your web experience, better understand how our site is used, and personalize advertising. By continuing to use this site you are giving us your consent to do this. Read more and make cookie choices by visiting our privacy policy.