bch

2016-03-01 OpenSSL Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800 and CVE-2016-0703)

A number of OpenSSL security vulnerabilities were announced on 2016-03-01 that affect to the versions of OpenSSL currently in use. The most significant one were CVE-2016-0800 and CVE-2016-0703, which allows an attacker to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data.

All the Bitnami-packaged applications are NOT VULNERABLE because Apache disables SSLv2 and EXPORT algorithms for HTTPS by default. Having say that, it is recommended to update the OpenSSL version of your system for other services following the next steps.

Secure the system

Ubuntu and Debian

Follow the steps below:

  • Update the system OpenSSL library with these commands:

    $ sudo apt-get update
    $ sudo apt-get install -y openssl libssl1.0.0
    
  • Check that the version was updated:

    $ /usr/bin/openssl version -a
    OpenSSL 1.0.1f 6 Jan 2014
    built on: Mon Feb 29 18:11:15 UTC 2016
    
  • Restart any service using libssl:

    $ sudo /opt/bitnami/ctlscript.sh restart
    

RedHat Enterprise Linux, Oracle Linux and CentOS

Follow the steps below:

  • Update the system OpenSSL library with these commands:

    $ sudo yum -y update openssl
    
  • Check that the version was updated:

    $ /usr/bin/openssl version -a
    OpenSSL 1.0.1e-fips 11 Feb 2013
    built on: Wed Feb 24 09:48:57 EST 2016
    
  • Restart any service using libssl:

    $ sudo /opt/bitnami/ctlscript.sh restart
    

Amazon Linux

These images are not affected by this issue. Read more.

Test the system

  • Browse to https://drownattack.com/ and check if your server is vulnerable.

  • DROWN Scanner is a tool scans for vulnerability to the DROWN attack against TLS. It is distributed under the GPLv2 license. Download it from Github and then run the commands below:

    $ python scanner.py localhost 443
    Testing localhost on port 443
    localhost: Case 3d; Server hello did not contain server hello
    localhost: Server is NOT vulnerable with cipher RC2_128_CBC_EXPORT40_WITH_MD5, Message: 3d: no tls
    
    localhost: Case 3d; Server hello did not contain server hello
    localhost: Server is NOT vulnerable with cipher RC4_128_EXPORT40_WITH_MD5, Message: 3d: no tls
    
    localhost: Case 3d; Server hello did not contain server hello
    localhost: Server is NOT vulnerable with cipher RC4_128_WITH_MD5, Message: 3d: no tls
    
    localhost: Case 3d; Server hello did not contain server hello
    localhost: Server is NOT vulnerable with cipher DES_64_CBC_WITH_MD5, Message: 3d: no tls