Vulnerability DROWN.

   After reading ‘DROWN SSLv2 Vulnerability Rears Ugly Head, Puts One-Third of HTTPS Servers At Risk’, I checked my server by The DROWN Attack and DROWN Scanner. Vulnerability DROWN is related to OpenSSL Security Advisory [1st March 2016].

   The DROWN Attack said like this though it has ‘TERMS AND DISCLAIMERS‘:

Results for o6asan.com

We have not identified any vulnerable servers matching this name. It’s possible that our scans missed something, or that there are vulnerable devices behind your firewall. For such devices, we recommend using our client-side scanning software.

   And DROWN Scanner said like this:

$ docker run -it public-drown-scanner o6asan.com 443
Testing o6asan.com on port 443
o6asan.com: Case 3d; Server hello did not contain SSLv2
o6asan.com: Server is NOT vulnerable with cipher RC2_128_CBC_EXPORT40_WITH_MD5, Message: 3d: no tls

o6asan.com: Case 3d; Server hello did not contain SSLv2
o6asan.com: Server is NOT vulnerable with cipher RC4_128_EXPORT40_WITH_MD5, Message: 3d: no tls

o6asan.com: Case 3d; Server hello did not contain SSLv2
o6asan.com: Server is NOT vulnerable with cipher RC4_128_WITH_MD5, Message: 3d: no tls

o6asan.com: Case 3d; Server hello did not contain SSLv2
o6asan.com: Server is NOT vulnerable with cipher DES_64_CBC_WITH_MD5, Message: 3d: no tls

   Both of them are predictable results.

   When you use DROWN Scanner on Windows OS, DockerToolbox is very convenient. But, before installing it, read Install Docker for Windows carefully. Actually I wanted to use Docker on Cygwin, but Cygwin gave an error ‘cannot enable tty mode on non tty input‘.
   For preparation, download public_drown_scanner-master.zip and Extract it as the folder public_drown_scanner in the Downloads folder.

   After installing, double click ‘Docker Quickstart Terminal’ on your DeskTop. Be patient several minutes. Finally the terminal displays the $ prompt.
   $ cd Downloads/public_drown_scanner
   $ docker build -t public-drown-scanner .
   $ docker run -it public-drown-scanner localhost 443
   You will have the result above or something. That’s it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.