Deutsch | English
This blog does not contain official statements of, only personal opinions of the individual contributors.

DROWN update


As I wrote in our initial DROWN blogpost, we're scanning .at for mail- and web-servers which are still supporting SSLv2. We're notifying our constituency and we see a steady drop in the number of servers (as measured by IP-Addresses) that are vulnerable:


So it is slowly getting better.

Looking at the feedback we receive there is one point though that needs extra attention: Disabling all SSLv2 ciphers might not be enough. You need to disable the SSLv2 protocol.

See this FAQ from the DROWN website:

DROWN is made worse by two additional OpenSSL implementation vulnerabilities. CVE-2015-3197, which affected OpenSSL versions prior to 1.0.2f and 1.0.1r, allows a DROWN attacker to connect to the server with disabled SSLv2 ciphersuites, provided that support for SSLv2 itself is enabled. CVE-2016-0703, which affected OpenSSL versions prior to 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf, greatly reduces the time and cost of carrying out the DROWN attack.

We will thus continue to send warnings as long as SSLv2 is not completely disabled. For the typical Linux setup, this post contains suitable configuration advise.

Author: Otmar Lendl

Phone: +43 1 5056416 78
more ...
MeliCERTes Training in Vienna
2019/03/14 | From March ...
New PGP-Keys
2019/03/13 | Since our ...
more ...
Last Change: 2016/4/11 - 11:36:02
Haftungsausschluss / Data Protection & Privacy Policy