How to Fix the SSLv2 DROWN Vulnerability

A recently published vulnerability that has been called DROWN allows an attacker to take advantage of the weak SSL protocol SSLv2 in two ways.

  • A server that has SSL v2 enabled can be used to attack any other servers that reuse the same RSA key; even those servers that don’t themselves support SSL v2. This attack is generic (CVE-2016-0800) and affects any protocol implementation.
  • A server that has SSL v2 enabled and is also running a special vulnerable version of OpenSSL (CVE-2016-0703) can be used to attack all other hostnames appear in its certificate.

This means that no server should have SSLv2 enabled at this point.

If you are using the latest version of cPanel with the default options, SSLv2 is already disabled, but you may not be safe.

If you have any servers using SSLv2, and a shared certificate or hostname, you are vulnerable.

In the following example, even though server 1 and 3 have SSLv2 disabled, all of the servers are vulnerable:

server 1 SSLv2 disabled server1.example.com
server 2 SSLv2 enabled server2.example.com
server 3 SSLv2 disabled server3.example.com

To protect yourself, you can check for drown using the Qualys SSL Tester.

If your server shows up as vulnerable, check all servers that are using the same hostname or wildcard certificate, as at least one of them is the source of the vulnerability.