Learn how to protect from SSL Drown Attack in AWS ELB , Apache and Nginx. DROWN, stands for Decrypting RSA using Obsolete and Weakened eNcryption and is a Man-in-the-Middle (MITM) attack against servers running TLS for secure communications. On 1-March-2016, academic researcher uncover the DROWN vulnerability.
Problem
The SSL DROWN vulnerability has received the CVE identifier number as cve-2016-0800. For more detail, you can also read OpenSSL security advisory for DROWN.
Solution
Disabling the SSLv2 is the solution against SSL DROWN vulnerability. Also note that, SSLv2 is already deprecated but still there are millions of website which are still running with SSLv2 protocol.
NOTE: In 2014, we have already seen the POODLE attack where SSL v3 was vulnerable. Hence, SSLv3 should be disable also.
AWS has recently published the solution for SSL Drown vulenerability in its Security Advisory bulletin.
Solution For SSL DROWN vulnerability in AWS ELB
Because of POODLE and DROWN vulnerability now AWS also disable the SSLv2 and SSLv3 from its predefined ELB Security Policy. AWS recommends to use the predefined ELB Security Policy called ELBSecurityPolicy-2015-05.
Follow the given below steps in AWS ELB –
Solution For SSL DROWN vulnerability in Apache Webserver
We will disable SSLv2 and SSLv3 both protocols . SSLv2 is for DROWN and SSLv3 is for POODLE vulnerability.
In Apache webserver configuration file, find the SSL section and edit/add the line as given below.
SSLProtocol all -SSLv3 -SSLv2
Restart the Apache service after editing the Apache configuration file.
## In Debian/Ubuntu
sudo service apache2 restart
## In RHEL 5.x,6.x / CentOS 5.x,6.x
sudo service httpd restart
## In RHEL 7.x / CentOS 7.x
sudo systemctl restart httpd.service
Solution For SSL DROWN/POODLE vulnerability in Nginx Webserver
In Nginx configuration file, we will disable the SSLv2 and SSLv3 both. As already described in above section, disabling SSLv2 is for DROWN and SSLv3 is for POODLE.
Find the SSL block in Nginx config file and edit the line as given below.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Now restart the Nginx webserver.
## In Debian/Ubuntu
sudo service nginx restart
## In RHEL 5.x,6.x / CentOS 5.x,6.x
sudo service nginx restart
## In RHEL 7.x / CentOS 7.x
sudo systemctl restart nginx.service
How to check SSL Drown vulnerability
You can check SSL Drown vulnerability through online tool.
As a Linux System Admin of your infrastructure, we recommend to check via command line. And is the command to check SSL/TLS ciphers. In output it will show if SSLv2 or SSLv3 is enabled.
nmap --script ssl-cert,ssl-enum-ciphers -p 443 [hostname-or-IP-address]
NOTE:Install nmap for using above command.
It may be possible, network is secured with nmap scan. This generally you can find with CDN providers which do not allow nmap scan.
We have another alternate command in case nmap do not provide satisfactory result.
By using openssl command, you can check the SSLv2 and SSLv3 protocol status.
Note: Replace example.com with your target domain name/website name.
To check SSLv2
openssl s_client -ssl2 -connect example.com:443
To check SSLv3
openssl s_client -ssl3 -connect example.com:443
If SSLv2/SSLv3 is disbaled you will receive the error.The error may be something like this –
419:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:
420:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:
In case of SSLv2/SSLv3 is enabled, the connection will be established and show more details.