Tech Solvency / The Story So Far / DROWN Attack on SSLv2 (CVE-2016-0800)


Briefing

Summaries


Vulnerabilities

Analysis

Remediation

If running Apache, seriously consider turning on SSL logging in advance everywhere that you can. This will build up a history of which clients are negotiating which protocols and ciphers, to inform decision-making for the next fire.

SSLOptions +StdEnvVars
CustomLog /path/to/ssl.log  "%t %h %{REMOTE_USER}x \"%{User-agent}i\" %{SSL_PROTOCOL}x %{SSL_CIPHER}x "

Enabling SSL protocol and cipher logging is also very useful for tracking how improvements in cipher order affect your customers over time.

Products

Affected

Not affected

Detection and testers

Exploitation

No public exploits yet known, as of 2016-03-02.
The DROWN attack is nuanced and non-trivial to implement, so we will likely not see immediate exploitation. - OpenSSL team, 2016-03-01

News and posts


Return to The Story So Far (list of notable security events)