一、漏洞描述: 現在流行的服務器和客戶端使用TLS加密,SSL和TLS協議保證用戶上網沖浪,購物,即時通信而不被第三方讀取到。DROWN(溺亡)漏洞允許攻擊者破壞這個加密體系,通過“中間人劫持攻擊”讀取或偷取敏感通信,包括密碼,信用卡帳號,商業機密,金融數據等。
二、漏洞影響:
大部分支持SSLv2的服務器均會受到該漏洞影響,比如啟用了ssl、tls加密的web服務器、郵件服務器。
三、檢測方法:
你也可使用檢測工具檢查
四、修復方法:
確保你的私鑰不適用於其他的支持sslv2服務,包括web,smtp,imap,pop服務等。禁止服務器端的sslv2支持。如果是Openssl,請查看OpenSSL官方給出的修復指南。
https://www.openssl.org/blog/blog/2016/03/01/an-openssl-users-guide-to-drown/
如果是nginx服務器直接在nginx.conf配置文件中去掉ssl_protocols SSLv2的支持。
示例:
[root@yn_vm_dev46 public_drown_scanner]# yum install python-virtualenv
[root@yn_vm_dev46 public_drown_scanner]# virtualenv drown
New python executable in drown/bin/python
Installing Setuptools……………………………………………………………………………………………………………………………………………………………………………………………………done.
Installing Pip……………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….done.
[root@yn_vm_dev46 public_drown_scanner]#
[root@yn_vm_dev46 public_drown_scanner]#
[root@yn_vm_dev46 public_drown_scanner]# cd drown/
[root@yn_vm_dev46 drown]# ls
bin include lib lib64
[root@yn_vm_dev46 drown]# ./bin/activate
-bash: ./bin/activate: Permission denied
[root@yn_vm_dev46 drown]# . ./bin/activate
(drown)[root@yn_vm_dev46 drown]#
(drown)[root@yn_vm_dev46 drown]#
(drown)[root@yn_vm_dev46 drown]# pip install enum pycrypto scapy pyasn1 scapy-ssl_tls
(drown)[root@yn_vm_dev46 drown]# python /root/public_drown_scanner/scanner.py www.com 443
Testing www.com on port 443
www.com: Server is vulnerable, with cipher RC2_128_CBC_EXPORT40_WITH_MD5
www.com: Server is vulnerable, with cipher RC4_128_EXPORT40_WITH_MD5
www.com: Case 7; Symmetric key did not successfully verify on server finished message
www.com: Server is NOT vulnerable with cipher RC4_128_WITH_MD5, Message: 7: no tls
www.com: Server is vulnerable, with cipher DES_64_CBC_WITH_MD5
(drown)[root@yn_vm_dev46 drown]# python /root/public_drown_scanner/scanner.py www.com 443
Testing www.com on port 443
www.com: Case 3b; Connection reset by peer when waiting for server hello
www.com: Server is NOT vulnerable with cipher RC2_128_CBC_EXPORT40_WITH_MD5, Message: 3b: no tls
www.com: Case 3b; Connection reset by peer when waiting for server hello
www.com: Server is NOT vulnerable with cipher RC4_128_EXPORT40_WITH_MD5, Message: 3b: no tls
www.com: Case 3b; Connection reset by peer when waiting for server hello
www.com: Server is NOT vulnerable with cipher RC4_128_WITH_MD5, Message: 3b: no tls
www.com: Case 3b; Connection reset by peer when waiting for server hello
www.com: Server is NOT vulnerable with cipher DES_64_CBC_WITH_MD5, Message: 3b: no tls
