Decrypting RSA with Obsolete and Weakened Encryption (DROWN) is a vulnerability in servers that support Secure Sockets Layer (SSL) version 2.0. It is a form of cross-platform Bleichenbacher padding oracle attack and would allow a threat actor that is able to perform an interception attack to decrypt intercepted TLS connections by making specially crafted connections to an SSLv2 server that uses the same private key.
This effectively means that an attack can be successful even if clients are not utilising SSLv2 and if the targeted server itself does not support SSLv2 but another server does and uses the same private key. This attack was demonstrated as practical in 2016.
This attack would allow a threat actor to decrypt a connection between the client and server and therefore may disclose sensitive information such as passwords and session tokens.
It is recommended that:
- All versions of SSL are disabled
Although this attack specifically impacts SSLv2, all version of SSL are deprecated and should be therefore disabled.
References
TLS/SSL Vulnerabilities
Look, there’s a whole bunch of vulnerabilities in Secure Sockets Layer (SSL) and Transport Layer Security (TLS) and it can be difficult to keep up with them all, even if they have fancy names and logos! So here’s a quick summary of each for you:| Play | Cover | Release Label |
Track Title Track Authors |
|---|