Fix DROWN Vulnerability in Plesk & WHM

Fix DROWN Vulnerability in Plesk & WHM
There is a mobile optimized version of this page, view AMP Version.

DROWN Vulnerability - How it works Within the last couple of weeks a new deadly security vulnerability has been discovered in OpenSSL that may affect more than 11 Million websites who have servers with outdated and insecure Secure Socket Layer (SSL) cryptography SSLv2. Hackers are able to launch a low-cost attack that can decrypt your sensitive HTTPS communications, which include logins, credit card details and other sensitive information, what’s more worrying is the decryption can happen within a couple of hours, or even in some cases almost immediately. Security researchers who released a research paper on DROWN said:

We present DROWN, a novel cross-protocol attack that can decrypt passively collected TLS sessions from up to-date clients by using a server supporting SSLv2 as a Bleichenbacher RSA padding oracle. We present two versions of the attack. The more general form exploits a combination of thus-far unnoticed protocol flaws in SSLv2 to develop a new and stronger variant of the Bleichenbacher attack. A typical scenario requires the attacker to observe 1,000 TLS handshakes, then initiate 40,000 SSLv2 connections and perform 2 50 offline work to decrypt a 2048-bit RSA TLS ciphertext. (The victim client never initiates SSLv2 connections.) We implemented the attack and can decrypt a TLS 1.2 handshake using 2048- bit RSA in under 8 hours using Amazon EC2, at a cost of $440.

 

What is DROWN? How does DROWN work?

DROWN stands for “Decrypting RSA with Obsolete and Weakened eNcryption.”, it is a cross-protocol attack that abuses weaknesses in SSLv2 combined with the secure Transport Layer Security (TLS) protocol. And while the latest versions of TLS does not allow SSLv2, most servers are either not up to date or override this protection to help optimize applications.  

How to fix DROWN on WHM

The first thing you need to do is update all the packages on your server, you will need a server administrator who is competent to update the required packages, you need to specifically update all openssl packages, but it would be a good idea to update all outdated packages on your system if possible. Depending on your Server these commands may be of use:

sudo apt-get update
sudo yum update openssl

  Once fully updated you need to modify apache configuration file so that it will use more secure cryptography and disable SSLv2, we recommend:

SSLHonorCipherOrder On
SSLProtocol -All +TLSv1 -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

 

Need Help?

Here at WebDesires, we specialise in web hosting and server management, with have expertise with WHM and Plesk Servers (and others) and can perform a DROWN fix for your server, please fill in the form below to request a quote for fixing the DROWN vulnerability on your server, we offer a professional service with a full money back guarantee if we do not fix the problem. All you will need is ROOT server access, that we will request once you have accepted our quote.

Request A Quote

Your Name*

Your Email*

Your Skype

Your Telephone

Preferred Contact Method

Some details about your host, provider, url to one of your sites (do not provide any logins here)


SHARING IS CARING!
facebooktwittergoogle_plusredditpinterestlinkedinmail

Author: Dean Williams

Professional PHP Web Developer with expertise in OpenCart Web Development, WordPress Web Development, Bespoke Systems - also a seasoned Linux Server Administrator.


Leave a Reply

Your email address will not be published. Required fields are marked *