Here I am describing DROWN vulnerability along with affected Operating systems and steps for identification and remediation:
DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security. DROWN allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data.
Most of the web sites are now vulnerable to DROWN including yahoo , icicibank , snapdeal etc
CVE-2016-0800 , known as DROWN
Vulnerable in:
- SSLv2 (Secure Sockets Layer protocol version 2.0)
- TLS (Transport Layer Security) version (1.0 - 1.2)
- Services which do not use SSLv2 , but share their RSA keys with those services which have SSLv2 support, are also vulnerable.
CVE-2016-0703 : which affected OpenSSL versions prior to 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8z
CVE-2016-0704 : This issue affected OpenSSL versions 1.0.2, 1.0.1l, 1.0.0q, 0.9.8ze and all
earlier versions.
The following OS versions are now effected to DROWN [ RHEL and CentOS)
Red Hat Enterprise Linux 4*
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Obuntu 14 and AWS OS are not affected with DOWN vulnerability.
How to check our server is infected or not:
RedHat is providing a script for this: Download the bash script from here : https://access.redhat.com/labs/drown/DROWN-test.sh
Or via a website https://test.drownattack.com
#wget https://access.redhat.com/labs/drown/DROWN-test.sh
#chmod 755 DROWN-test.sh
# ./DROWN-test.sh
WARNING: The installed version of openssl (openssl-1.0.1e-30.el6_6.5) is vulnerable to both general and special DROWN attack and should be upgraded!
See https://access.redhat.com/security/vulnerabilities/drown for more information.
The installed version of openssl-libs (package openssl-libs is not installed) is not vulnerable to DROWN.
===========================
]# yum info openssl
Installed Packages
Name : openssl
Arch : x86_64
Version : 1.0.1e
Release : 30.el6_6.5
Size : 4.0 M
Repo : installed
Available Packages
Name : openssl
Arch : x86_64
Version : 1.0.1e
Release : 42.el6_7.4
================================================
Red Hat patched OpenSSL lists:
Red Hat Enterprise Linux 4 openssl-0.9.7a-43.23.el4 RHSA-2016:0306
Red Hat Enterprise Linux 5 openssl-0.9.8e-39.el5_11 RHSA-2016:0302
Red Hat Enterprise Linux 5.6 openssl-0.9.8e-12.el5_6.13 RHSA-2016:0304
Red Hat Enterprise Linux 5.9 openssl-0.9.8e-26.el5_9.5 RHSA-2016:0304
Red Hat Enterprise Linux 6 openssl-1.0.1e-42.el6_7.4 RHSA-2016:0301
Red Hat Enterprise Linux 6.2 openssl-1.0.0-20.el6_2.8 RHSA-2016:0303
Red Hat Enterprise Linux 6.4 openssl-1.0.0-27.el6_4.5 RHSA-2016:0303
Red Hat Enterprise Linux 6.5 openssl-1.0.1e-16.el6_5.16 RHSA-2016:0303
Red Hat Enterprise Linux 6.6 openssl-1.0.1e-30.el6_6.12 RHSA-2016:0305
Red Hat Enterprise Linux 7 openssl-1.0.1e-51.el7_2.4 RHSA-2016:0301
Red Hat Enterprise Linux 7.1 openssl-1.0.1e-42.el7_1.10, openssl-1.0.1e-42.ael7b_1.10 RHSA-2016:0305
Red Hat JBoss Web Server 2 openssl Patch Pending
Red Hat JBoss Web Server 3 openssl Patch Pending
Red Hat JBoss Enterprise Application Platform 6 openssl Patch Pending
==================================================
Follow the steps below to disable SSLv2 in aws:
- Select your load balancer (EC2 > Load Balancers).
- In the Listeners tab, click "Change" in the Cipher column.
- Ensure that the radio button for "Predefined Security Policy" is selected
- In the dropdown, select the "ELBSecurityPolicy-2015-05" policy.
- Click "Save" to apply the settings to the listener.
- Repeat these steps for each listener that is using HTTPS or SSL for each load balancer.
No comments:
Post a Comment