An OpenSSL security hole enables Secure Sockets Layer (SSLv2), to be used to attack modern web sites. Even though this is a an ancient, long deprecated security protocol, it is estimated to be able to "kill" at least one-third of all HTTPS servers (approx. 11.5 million servers).
The attack is dubbed as DROWN based on the words:
Decrypting RSA with Obsolete and Weakened eNcryption.
Obsolete Microsoft Internet Information Services (IIS) versions 7 and earlier are vulnerable as well, and editions of Network Security Services (NSS), a common cryptographic library built into many server products prior to 2012's 3.13 version, are also open to attack.
OpenSSL 1.0.2 users should upgrade to 1.0.2g.
OpenSSL 1.0.1 users should upgrade to 1.0.1s.
If you're using another version move up to 1.0.2g or 1.0.1s
OpenSSL 1.0.2g is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html):
- http://www.openssl.org/source/
- ftp://ftp.openssl.org/source/
For further information on the issue, please visit the site: https://drownattack.com
Migration/Protection: https://drownattack.com/#mitigation
Instructions for Apache: https://drownattack.com/apache.html
Instructions for Postfix: https://drownattack.com/postfix.html
Instructions for Nginx: https://drownattack.com/nginx.html
https://github.com/nimia/public_drown_scanner
No comments:
Post a Comment