SSLv2 Cross-Protocol Session Decryption Vulnerability (DROWN)
Medium Nessus Network Monitor Plugin ID 9127
SynopsisThe remote host may be affected by a vulnerability which would allow a remote attacker to decrypt previously captured traffic.
DescriptionSSLv2 is a deprecated and insecure protocol which contains a flaw in its implementation, allowing for a cross-protocol Bleichenbacher padding oracle attack (an adaptive chosen-ciphertext attack). Such an attack may allow a man-in-the-middle attacker to decrypt intercepted TLS connections via a series of specially crafted connections to an SSLv2 server that uses the same private key. The monitored connections required to conduct this attack can use any version of the SSL or TLS protocols, including TLS 1.2, as long as they all use the same RSA key exchange method. With each connection, the server response will vary enough so as to leak information to the attacker about the secret keys in use for the victim TLS connection. This information can in turn be used to eventually decrypt the entire TLS connection and gain access to all plaintext traffic between the victim and server.
SolutionDisable SSLv2 and export grade cryptography cipher suites. Ensure that private keys are not used anywhere with server software that supports SSLv2 connections.