Vulnerabilities and Threats

DROWN Vulnerability — More Like A Doggy Paddle

David Robinson
David Robinson

Key Points

You may have heard of the new DROWN vulnerability as it’s been in the news a fair bit over the past couple of days.

We’re glad to say, we’ve already checked our customers’ systems, but, even if you’re not using Intruder’s continuous monitoring service yet, DROWN isn’t something to get in a panic about.

If successfully exploited, the DROWN vulnerability can allow an attacker to decrypt encrypted network traffic between a client and server. It is however, not easy to exploit and requires the following conditions in order to be exploitable:

  • The target server must support SSLv2, or share a key with a server which supports SSLv2 (which is usually disabled by default on modern services).
  • The attacker must also be in a position to intercept the traffic between the client and vulnerable server (eg. on the same shared Wi-Fi connection).

As it’s a theoretically possible attack, but difficult to exploit in practice, we do not expect to see widespread exploitation of DROWN. That said, all your servers should already be using TLS to secure communications instead of the long deprecated SSL protocols.

For those interested, the technical details of the vulnerability can be found at

Get our free

Ultimate Guide to Vulnerability Scanning

Learn everything you need to get started with vulnerability scanning and how to get the most out of your chosen product with our free PDF guide.

Sign up for your free 14-day trial

7 days free trial