DROWN stands for "Decrypting RSA with Obsolete and Weakened Encryption." You should not panic from DROWN attack but treating of the vulnerability is necessary for affected applications. It is a serious vulnerability and affects HTTPS that relies on SSL and TLS. Everyone on the Internet uses these protocols to browse the web, email etc and send instant messages by preventing third-parties being able to read the communication. This attack allows attacker to read or even steal sensitive communications, which may include passwords, credit card information, trade secrets etc by breaking encryption.
The attack is not insignificant and can be launched against high-value targets. Before you strive for its remediation, you should first ensure that your systems are not vulnerable. Fortunately, it's remediation is very simple and straightforward: just disable SSL v2 on all servers you have.
What is affected?
- TLS-dependent services
- Mail Servers
How to identify that your site is vulnerable?
A server is affected if it allows SSLv2 connections. Due to misconfiguration and inappropriate default settings it is unexpectedly feasible.
If its private key is used on any other server that allows SSLv2 connections, even for another protocol. We can realize that many companies reuse the same certificate and key on their web and email servers. Suppose, if the email server supports SSLv2 and the web server does not, then also an attacker can take advantage of the email server to break TLS connections to the web server and put it at risk.
Go through ssllabs and enter the URL using SSL connection. Check whether protocols allowed are as follows:
TLS1.2 - Yes
TLS1.1 - Yes
TLS1.0 - Yes
SSL3 - No
SSL2 - No
Countermeasures to mitigate DROWN Attack:
OpenSSL: If OpenSSL is used, then upgrade it to recent versions of OpenSSL 1.0.2g and1.0.1s.
Microsoft IIS: If you are using older and no longer supported version of IIS, then upgrade to IIS version 7 or newer. In newer version of IIS which is IIS7 and above, SSL v2 is disabled by default.
Network Security Services (NSS): Upgrade all the older version of NSS to NSS 3.13 or newer. In NSS 3.13 or newer, SSL v2 is disabled by default.
Finally, it’s the responsibility of Operators of vulnerable servers need to take action. There is nothing practical that browsers or end-users can do on their own to protect against this attack.
Authored by Tapasi Chavan