DROWN - Cross-protocol attack on TLS using SSLv2


Systems Affected

SSL and TLS libraries with SSLv2 support

Threat Level



Red Hat Product Security has been made aware of a vulnerability in the SSLv2 protocol, which has been assigned CVE-2016-0800 and is used in a cross-protocol attack referred to as DROWN - Decrypting RSA using Obsolete and Weakened eNcryption. This issue has been rated as Important


A group of security researchers discovered that SSLv2 (Secure Sockets Layer protocol version 2.0) is vulnerable to the Bleichenbacher RSA padding oracle attack, which can be used to decrypt RSA cipher text without the knowledge of the matching private RSA key. This can be done by observing responses from a server that has the private key and performs the decryption of attacker-provided cipher texts using that key. The researchers also demonstrated a new cross-protocol attack which allows decryption of SSL/TLS sessions using newer protocol versions - SSLv3 or any current TLS (Transport Layer Security) version (1.0 - 1.2) - using this SSLv2 weakness. This flaw is a SSLv2 protocol issue and affects all implementations of the protocol. Researchers refer to this attack as general DROWN.

Additionally, flaws were found in the SSLv2 protocol implementation in the OpenSSL cryptography and SSL/TLS library, which make it possible to perform a more efficient variant of the DROWN attack, referred to as special DROWN. These issues were assigned CVE-2016-0703 and CVE-2016-0704 , and were already recently corrected as part of the fix for CVE-2015-0293 .

Further details of this attack can be found in the researchers' paper titled DROWN: Breaking TLS using SSLv2 at


Solution/ Workarounds

The following changes were applied to OpenSSL included in Red Hat products to address this issue:

The SSLv2 protocol is no longer enabled by default when using the SSLv23 connection method.

All SSLv2 cipher suites using 40 bit (EXPORT) or 56 bit (single DES) symmetric encryption keys are now disabled and can no longer be used. The following cipher suites are no longer available:

The OpenSSL versions in the openssl packages in all updates for Red Hat Enterprise Linux 4 and 5 now check the OPENSSL_ENABLE_SSL2 environment variable and if it is defined, SSLv2 is enabled by default when using the SSLv23 connection method. This environment variable can be used to re-enable SSLv2 if needed.



The information provided herein is on "as is" basis, without warranty of any kind.


© Copyright Sri Lanka CERT|CC. All Rights Reserved.