CVE-2016-0800: Exploit in SSLv2

Created:

2016-11-16 13:00:46 UTC

Modified:

2017-08-16 15:56:47 UTC

0

Was this article helpful?


Have more questions?

Submit a request

CVE-2016-0800: Exploit in SSLv2

Applicable to:

  • Plesk for Linux
  • Plesk 12.5 for Windows

Situation

The OpenSSL group issued a vulnerability alert on March 1, 2016. You can find more information about CVE-2016-0800 at the Open SSL website.

This vulnerability is known as DROWN (CVE-2016-0800).

Impact

A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP) shares the RSA keys of the non-vulnerable server.

A more efficient variant of the DROWN attack exists against unpatched OpenSSL servers using versions that predate 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.

All services managed by Plesk except qmail and autoinstaller are configured not to use SSLv2 (and SSLv3) by default since Plesk 12.5.

Mitigation factors:

  • SSL/TLS connections using non-RSA key exchange, such as Diffie-Hellman (DH) or Elliptic Curve Diffie-Hellman (ECDH), can not be decrypted using the DROWN attack.

  • Modern SSL/TLS clients support ECDH and DH.
    All services managed by Plesk except qmail and autoinstaller are configured to prefer ECDH and DH by default.

See links below for more information:

Call to Action

Operation System Vendors already released corresponding updates, please update your OS following standard procedure:

RedHat/CentOS

Debian

Ubuntu

Plesk takes the security of our customers very seriously and encourages you to take the recommended actions as soon as possible.

Have more questions? Submit a request
Please sign in to leave a comment.