DROWN Vulnerability CVE-2016-0800 in OpenSSL Misses Most NGINX Users

DROWN Vulnerability CVE-2016-0800 in OpenSSL Misses Most NGINX Users

A new OpenSSL vulnerability (CVE-2016-0800), called DROWN, was recently announced. It affects older versions of several widely-used server technologies:

  • SSLv2, an old version of the Secure Sockets Layer protocol. Most up-to-date websites don’t use SSL at all, having moved to TLS (Transport Layer Security)
  • IIS v7. An older version of Microsoft Internet Information Services
  • NSS 3.13. Network Security Services, a widely used cryptographic library

The DROWN vulnerability is described on the dedicated website, The DROWN Attack. It stands for Decrypting RSA with Obsolete and Weakened eNcryption, and makes vulnerable websites susceptible to man-in-the-middle attacks.

DROWN is unusual in that it does not require a site to actively use SSLv2 or other vulnerable protocols. A site is vulnerable if it supports one of the vulnerable protocols or shares a private key with any other server that allows SSLv2 connections.

Both open source NGINX and NGINX Plus support SSLv2, but it is turned off by default in recent versions. Only users who have explicitly turned on SSLv2, or use a significantly outdated version of NGINX, or share a private key with another server that allows SSLv2 connections, are vulnerable to this attack

Site owners should check whether their website configuration supports SSLv2 and disable it if it does. With NGINX and NGINX Plus, the use of SSL and TLS protocols is controlled by the ssl_protocols configuration directive. In order to enable recent TLS only, and disable SSL v2 and SSL v3, please use the following syntax:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Please see reference documentation on SSL support with NGINX: http://nginx.org/en/docs/http/ngx_http_ssl_module.html

Visit the NGINX Community Forum or, for NGINX Plus users, NGINX Plus Support for more information.

Visit the following sites for more information:

Image courtesy The Drown Attack.

The post DROWN Vulnerability CVE-2016-0800 in OpenSSL Misses Most NGINX Users appeared first on NGINX.

Source: DROWN Vulnerability CVE-2016-0800 in OpenSSL Misses Most NGINX Users

About KENNETH 19688 Articles
지락문화예술공작단

Be the first to comment

Leave a Reply

Your email address will not be published.


*


이 사이트는 스팸을 줄이는 아키스밋을 사용합니다. 댓글이 어떻게 처리되는지 알아보십시오.