DROWN Vulnerability — More Like A Doggy Paddle
You may have heard of the new DROWN vulnerability as it’s been in the news a fair bit over the past couple of days.
We’re glad to say, we’ve already checked our customers’ systems, but, even if you’re not using Intruder’s continuous monitoring service yet, DROWN isn’t something to get in a panic about.
If successfully exploited, the DROWN vulnerability can allow an attacker to decrypt encrypted network traffic between a client and server. It is however, not easy to exploit and requires the following conditions in order to be exploitable:
- The target server must support SSLv2, or share a key with a server which supports SSLv2 (which is usually disabled by default on modern services).
- The attacker must also be in a position to intercept the traffic between the client and vulnerable server (eg. on the same shared Wi-Fi connection).
As it’s a theoretically possible attack, but difficult to exploit in practice, we do not expect to see widespread exploitation of DROWN. That said, all your servers should already be using TLS to secure communications instead of the long deprecated SSL protocols.
For those interested, the technical details of the vulnerability can be found at https://drownattack.com/drown-attack-paper.pdf