Skip to main content

Prevent SSL DROWN attacks

DROWN (Decrypting RSA with Obsolete and Weakened encryption) is an attack on the old SSL v2 protocol version. Read here how you can prevent SSL DROWN.

Security assessment


CVSS vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Vulnerability information

A group of security researchers officially announced the DROWN attack in March 2016 and was assigned CVE-2016-0800. The full technical description of the attack is available in the DROWN: Breaking TLS using SSLv2 paper.

DROWN uses several different tactics to achieve its goal. On the one hand, it is a cross-protocol attack which means that part of its strategy is to use differences in protocols to exploit a particular vulnerability present in the SSLv2 protocol.

It is also a Bleichenbacher padding oracle attack (i.e., a ciphertext attack). Once the attacker has exploited the cross-protocol vulnerability, they send thousands of modified handshake messages to the server and monitor its responses. Due to the server responses when using an RSA key exchange under SSLv2, the attacker can slowly gather pieces of the server session key, eventually revealing them entirely. As a result, all servers are at risk, including websites and mail servers.

There are two main types of DROWN attacks a general DROWN attack and a special DROWN attack.

The general DROWN uses the RSA encryption of the master secret in SSLv2, whereas the special DROWN uses an OpenSSL vulnerability to implement SSLv2. As a result, the last attack is significantly more accessible, cheaper, and faster to execute.

Prevent attacks

To prevent exposure to a DROWN attack, server operators must ensure that their server does not support using SSLv2 cipher suites. They must also ensure that the server private keys are not used anywhere else, such as in web servers, email servers such as SMTP, IMAP, or POP servers, etc., and server software that support SSLv2 connections.

To learn more about preventing DROWN and other similar security vulnerabilities, see securing TLS configuration.

To prevent DROWN, do not use the deprecated SSL v2 protocol version.