Vulnerability to the DROWN attack

Created:

2017-07-28 06:16:37 UTC

Modified:

2017-08-16 15:46:34 UTC

0

Was this article helpful?


Have more questions?

Submit a request

Vulnerability to the DROWN attack

Applicable to:

  • Plesk 12.5 for Linux
  • Plesk 12.0 for Linux

Symptoms

SSLLabs check shows that the server is vulnerable to the DROWN attack, not directly, but through having the same key with SSL v2 vulnerable host.

2017-07-28_13_49_37-SSL_Server_Test2.png

Cause

Both servers share the same RSA key. That could have happened if Plesk server has been fully rolled out and then used as a template to create other servers or if one certificate was issued to secure few different servers.

The server with SSLv2 can be used to attack other servers, that share RSA key with it ( CVE-2016-0800 ), or, if runs a vulnerable version of OpenSSL, can attack all the hostnames, that appear within its certificate ( CVE-2016-0703 ).

Resolution

There are two different ways to solve this issue:

  1. Disable SSLv2 on the vulnerable server using a script:
    • Connect to the server using SSH.
    • Download the archive with the script that automatically disables SSLv3 and SSLv2 on the server:

      # wget https://kb.plesk.com/Attachments/kcs-40007/ssl_v3_disable.zip

    • Unpack archive:

      # unzip ./ssl_v3_disable.zip

    • Make the script executable:

      # chmod +x ./ssl_v3_disable.sh

    • Run script:

      # ./ssl_v3_disable.sh

      Warning: This script is not intended to be used on Plesk Onyx!

      Note: It is strongly advised to reissue certificates for all previously affected hosts

  2. Change default IP and default Plesk SSL certificate on the server:
    • It will be required to issue a new certificate. If it was not self-signed, certificate issuer support must be contacted.
      1. Go to Tools & Settings > SSL Certificates > Add
      2. Fill out all required forms and click on Self-Signed to create a certificate.
      3. Select a new certificate and click Make Default / Secure Plesk.
        Note: Make Default automatically does following steps.
      4. Go to Tools & Settings > IP Addresses and choose vulnerable IP.
      5. Change SSL certificate from the previous certificate to the new one.
Have more questions? Submit a request
Please sign in to leave a comment.