nginx ssl drown attack

Learn how to protect from SSL Drown Attack in AWS ELB , Apache and Nginx.  DROWN, stands for Decrypting RSA using Obsolete and Weakened eNcryption and is a Man-in-the-Middle (MITM) attack against servers running TLS for secure communications. On 1-March-2016, academic researcher uncover the DROWN vulnerability.

Problem

The SSL DROWN vulnerability has received the CVE identifier number as cve-2016-0800. For more detail, you can also read OpenSSL security advisory for DROWN.

Solution

Disabling the SSLv2 is the solution against SSL DROWN vulnerability. Also note that, SSLv2 is already deprecated but still there are millions of website which are still running with SSLv2 protocol.

NOTE: In 2014, we have already seen the POODLE attack where SSL v3 was vulnerable. Hence, SSLv3 should be disable also.

AWS has recently published the solution for SSL Drown vulenerability in its Security Advisory bulletin.

Solution For SSL DROWN vulnerability in AWS ELB

Because of POODLE and DROWN vulnerability now AWS also disable the SSLv2 and SSLv3 from its predefined ELB Security Policy. AWS recommends to use the predefined ELB Security Policy called ELBSecurityPolicy-2015-05.

Follow the given below steps in AWS ELB –

SSL DROWN
Source: https://aws.amazon.com/security/security-bulletins/cve-2016-0800-advisory/

Solution For SSL DROWN vulnerability in Apache Webserver

We will disable SSLv2 and SSLv3 both protocols . SSLv2 is for DROWN and SSLv3 is for POODLE vulnerability.
In Apache webserver configuration file, find the SSL section and edit/add the line as given below.

SSLProtocol all -SSLv3 -SSLv2

Restart the Apache service after editing the Apache configuration file.

## In Debian/Ubuntu

sudo service apache2 restart
## In RHEL 5.x,6.x / CentOS 5.x,6.x

sudo service httpd restart
## In RHEL 7.x / CentOS 7.x

sudo systemctl restart httpd.service

Solution For SSL DROWN/POODLE vulnerability in Nginx Webserver

In Nginx configuration file, we will disable the SSLv2 and SSLv3 both. As already described in above section, disabling SSLv2 is for DROWN and SSLv3 is for POODLE.

Find the SSL block in Nginx config file and edit the line as given below.

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Now restart the Nginx webserver.

## In Debian/Ubuntu

sudo service nginx restart
## In RHEL 5.x,6.x / CentOS 5.x,6.x

sudo service nginx restart
## In RHEL 7.x / CentOS 7.x

sudo systemctl restart nginx.service

How to check SSL Drown vulnerability

You can check SSL Drown vulnerability through online tool.

As a Linux System Admin of your infrastructure, we recommend to check via command line. And is the command to check SSL/TLS ciphers. In output it will show if SSLv2 or SSLv3 is enabled.

nmap --script ssl-cert,ssl-enum-ciphers -p 443 [hostname-or-IP-address]

NOTE:Install nmap for using above command.

It may be possible, network is secured with nmap scan. This generally you can find with CDN providers which do not allow nmap scan.

We have another alternate command in case nmap do not provide satisfactory result.

By using openssl command, you can check the SSLv2 and SSLv3 protocol status.

Note: Replace example.com with your target domain name/website name.

To check SSLv2

openssl s_client -ssl2 -connect example.com:443

To check SSLv3

openssl s_client -ssl3 -connect example.com:443

If SSLv2/SSLv3 is disbaled you will receive the error.The error may be something like this –

419:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:
420:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:

In case of SSLv2/SSLv3 is enabled, the connection will be established and show more details.

Read Some More Articles

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.