DROWN: Debian packages for squeeze, lenny and check script

Written on March 3, 2016 by Stephan Peijnik

The latest OpenSSL update, which was released on March 1st, fixed, among other bugs, a vulnerability named DROWN.

Putting it short, the attack allows obtaining the private key from a remote server if SSLv2 is enabled.

A more detailed description of the attack is out of the scope of this blog article can be found on the “official” website, https://drownattack.com/.

Recent operating systems have had SSLv2 disabled for quite some time now, like Debian did in 2010: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=589706

However, a lot of organizations are still running legacy versions of operating systems for various reasons, being left in the cold with no security updates available.

This was also the case for us, as we are still managing some Debian squeeze and Debian lenny systems.

Debian packages for squeeze and lenny

As soon as patches became available our team started building updated OpenSSL packages for both Debian squeeze and Debian lenny, which disable SSLv2 entirely. These updated packages contain the same patches as applied in CentOS.

As a service to the Internet community, we have made available both source and binary packages for these Debian versions at https://github.com/anexia-it/debian-packages.

DROWN check script

We needed a way to remotely check if services were vulnerable. As the lookup tool on the DROWN attack website only uses old data at the point of this writing, we created a shell script which implements DROWN vulnerability checks.

The script very much resembles our winshock test script, but requires an old version of OpenSSL with SSLv2 enabled to operate.

In order to simplify use of the script, we are providing a docker image, based on Debian squeeze.

The script itself and the Dockerfile used to build the image are both available from GitHub.

If you want to give the script a try, using it is as simple as running:

docker pull anexia/drowncheck:latest

docker run –rm=true -t -i anexia/drowncheck:latest 10.0.0.2 443

Simply replace 10.0.0.2 with the IP address of the server you want to check and 443 with the services’ port.

Debian

DROWN

F&E

Anexia is

ANEXIA offers high-quality solutions in the areas of cloud and managed services as well as individual software, app and web development. Founded in 2006, the company is based in Klagenfurt and has additional locations in Vienna, Graz, Karlsruhe and New York City.