OpenSSL Secured Websites at Risk of New DROWN Attack

OpenSSL Secured Websites at Risk of New DROWN Attack


Description

A new cross protocol attack has been discovered that allows attacks on TLS Transport Layer Security using SSLv2. This attack will also be inclusive to any services that could rely on SSL and TLS such as HTTPS. DROWN displays that even merely supporting SSLv2 can make your server vulnerable to attack. Only server operators are able to mitigate this attack, clients and browsers are not.

Additional Information can be found at

Recommendations

  • Disable any server software that allows SSLv2 connections.
  • OpenSSL version 1.0.2 or below users should upgrade to 1.0.2g
  • OpenSSL version 1.0.1 or below users should upgrade to 1.0.1s

Indicators of Compromise

Protocols Affected
  • 443 (HTTPS)
  • 25 (SMTP with STARTTLS)
  • 110 (POP3 with STARTTLS)
  • 143 (IMAP with STARTTLS)
  • 465 (SMTPS)
  • 587 (SMTP with STARTTLS)
  • 993 (IMAPS)
  • 995 (POP3S)
Systems Affected
  • All Systems that support SSLv2
Vulnerable Versions
  • OpenSSL 1.0.2 and below
  • OpenSSL 1.01 and below

Patches