What is DROWN?
DROWN is a high security vulnerability that can affect HTTPS and other services that rely on SSL and TLS protocols. The attack allows attackers to break encryption and read or steal private and sensitive informations including; conversations, passwords, bank details and financial data between users and the affected server.
Who is vulnerable?
Websites, mail servers, and other TLS-dependent services are at risk for the DROWN attacks. The DROWN vulnerability occurs when a server is misconfigured to serve data over legacy SSLv2 (a predecessor to TLS).
The support of SSLv2 can allow attackers to decrypt modern TLS connections between up-to-date clients and servers by intercepting and sending probes to a server that supports SSLv2 and uses the same private key which puts your HTTPS server at risk.
How do I prevent my server from DROWNing?
To protect against DROWN, server operators need to ensure that their private keys are not used anywhere with server software that allows SSLv2 connections.(e.g. web servers, SMTP servers, IMAP, POP etc.)
Disabling SSLv2 can be complicated process and is dependant on the specific server software such as:
OpenSSL is a cryptographic library used in many server products. For users of OpenSSL, the easiest and recommended solution is to upgrade to a recent OpenSSL version.
Microsoft IIS (Windows Services)
IIS versions 7.0 and above should have SSLv2 disabled by default. (A small number of users may have enabled SSLv2 manually and will need to take steps to disable it.)
KEMP follows industry trends, best practices, and security standards such as PCI-DSS to continually refine security posture. Kemp Loadmasters have not supported SSLv2 and is disabled by default. The Loadmasters can front-end insecure services or legacy applications quickly and with limited operational impact.
As part of the KEMP security response process – every new version of OpenSSL and the corresponding patches are evaluated based on a variety of factors (risk mitigation, performance, functionality, etc). KEMPs engineering works in conjunction with the Security Alert team then decide on the best course of action and release mechanism that work flexibly to protect their customers.
For more information and queries on DROWN get in touch with the security experts at Systech IT Solutions.