Differences

This shows you the differences between two versions of the page.

Link to this comparison view

troubleshooting:how-to-fix-the-sslv2-drown-vulnerability [2016-08-18 16:45:13] (current)
rory.blanchard created
Line 1: Line 1:
 +====== How to Fix the SSLv2 DROWN Vulnerability ======
 +
 +A recently published vulnerability that has been called DROWN allows an attacker to take advantage of the weak SSL protocol SSLv2 in two ways.
 +
 +  * A server that has SSL v2 enabled can be used to attack any other servers that reuse the same RSA key; even those servers that don’t themselves support SSL v2. This attack is generic ​ (CVE-2016-0800) ​ and affects any protocol implementation.
 +
 +  * A server that has SSL v2 enabled and is also running a special vulnerable version of OpenSSL (CVE-2016-0703) can be used to attack all other hostnames appear in its certificate.
 +
 +This means that no server should have SSLv2 enabled at this point.
 +
 +If you are using the latest version of cPanel with the default options, SSLv2 is already disabled, but you may not be safe.
 +
 +<note warning>
 +If you have any servers using SSLv2, and a shared certificate or hostname, you are vulnerable.
 +</​note>​
 +
 +In the following example, even though server 1 and 3 have SSLv2 disabled, all of the servers are vulnerable:
 +
 +<​code>​
 +server 1 SSLv2 disabled server1.example.com
 +server 2 SSLv2 enabled server2.example.com
 +server 3 SSLv2 disabled server3.example.com
 +</​code>​
 +
 +To protect yourself, you can check for drown using the [[https://​www.ssllabs.com/​ssltest/​|Qualys SSL Tester]].
 +
 +If your server shows up as vulnerable, check all servers that are using the same hostname or wildcard certificate,​ as at least one of them is the source of the vulnerability.
 +\\
 +\\
 +