The latest OpenSSL update, which was released on March 1st, fixed, among other bugs, a vulnerability named DROWN.
Putting it short, the attack allows obtaining the private key from a remote server if SSLv2 is enabled.
A more detailed description of the attack is out of the scope of this blog article can be found on the “official” website, https://drownattack.com/.
Recent operating systems have had SSLv2 disabled for quite some time now, like Debian did in 2010: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=589706
However, a lot of organizations are still running legacy versions of operating systems for various reasons, being left in the cold with no security updates available.
This was also the case for us, as we are still managing some Debian squeeze and Debian lenny systems.
Debian packages for squeeze and lenny
As soon as patches became available our team started building updated OpenSSL packages for both Debian squeeze and Debian lenny, which disable SSLv2 entirely. These updated packages contain the same patches as applied in CentOS.
As a service to the Internet community, we have made available both source and binary packages for these Debian versions at https://github.com/anexia-it/debian-packages.
DROWN check script
We needed a way to remotely check if services were vulnerable. As the lookup tool on the DROWN attack website only uses old data at the point of this writing, we created a shell script which implements DROWN vulnerability checks.
The script very much resembles our winshock test script, but requires an old version of OpenSSL with SSLv2 enabled to operate.
In order to simplify use of the script, we are providing a docker image, based on Debian squeeze.
The script itself and the Dockerfile used to build the image are both available from GitHub.
If you want to give the script a try, using it is as simple as running:
docker pull anexia/drowncheck:latest
docker run –rm=true -t -i anexia/drowncheck:latest 10.0.0.2 443
Simply replace 10.0.0.2 with the IP address of the server you want to check and 443 with the services’ port.