What is the DROWN vulnerability and how can I prevent it?
This FAQ will explain the DROWN vulnerability and show you what you can do to protect your server.
The DROWN vulnerability is a vulnerability in the SSL/TLS system which is designed to protect sensitive information, including personal data, banking details and passwords.
DROWN, which stands for Decrypting RSA with Obsolete and Weakened eNcryption, takes advantage of a server if it supports SSLv2. SSLv2 is an obsolete system which has been surpassed by newer, more effective security. However, some servers do still support SSLv2 which malicious users can use to circumvent more effective security such as TLS.
How do I know if I am affected by DROWN?
There is a quick and easy test you can use to see if you are affected by DROWN. Simply visit https://test.drownattack.com/ and enter your server’s IP address and click on the Check for DROWN vulnerability button, you will then be informed whether your server is at risk.
How can I fix my affected server?
Self-managed customers should look to update OpenSSL by using either:
yum update openssl
apt-get update openssl
Ubuntu users should also use:
apt-get update;apt-get dist-upgrade
This will patch the vulnerability in the OpenSLL package, but won’t patch the underlying vulnerability with SSLv2.
We recommend removing SSLv2 completely from your server; you can do so by following the instructions found here https://kb.odin.com/en/123160. Please note, these instructions relate to SSLv3, but will remove v2 on most services. We recommend doing each step manually, as this will help to prevent any server issues.
You can test individual services to see if they support SSLv2 by using the following command:
openssl s_client -connect [ip]:[port] -ssl2
openssl s_client -connect 126.96.36.199:443 -ssl2
If you would prefer that a member of our support team managed these updates for you, we would be able to provide this service for a one off fee of £50. If you would like to take up this option, please contact our support team.