DROWN - Cross-protocol attack on TLS using SSLv2


Systems Affected

SSL and TLS libraries with SSLv2 support

Threat Level



Red Hat Product Security has been made aware of a vulnerability in the SSLv2 protocol, which has been assigned CVE-2016-0800 and is used in a cross-protocol attack referred to as DROWN - Decrypting RSA using Obsolete and Weakened eNcryption. This issue has been rated as Important


A group of security researchers discovered that SSLv2 (Secure Sockets Layer protocol version 2.0) is vulnerable to the Bleichenbacher RSA padding oracle attack, which can be used to decrypt RSA cipher text without the knowledge of the matching private RSA key. This can be done by observing responses from a server that has the private key and performs the decryption of attacker-provided cipher texts using that key. The researchers also demonstrated a new cross-protocol attack which allows decryption of SSL/TLS sessions using newer protocol versions - SSLv3 or any current TLS (Transport Layer Security) version (1.0 - 1.2) - using this SSLv2 weakness. This flaw is a SSLv2 protocol issue and affects all implementations of the protocol. Researchers refer to this attack as general DROWN.

Additionally, flaws were found in the SSLv2 protocol implementation in the OpenSSL cryptography and SSL/TLS library, which make it possible to perform a more efficient variant of the DROWN attack, referred to as special DROWN. These issues were assigned CVE-2016-0703 and CVE-2016-0704 , and were already recently corrected as part of the fix for CVE-2015-0293 .

Further details of this attack can be found in the researchers' paper titled DROWN: Breaking TLS using SSLv2 at


Solution/ Workarounds

  ✻  Update the latest version of the Mozilla's Firefox on Windows, Linux and Mac.



The information provided herein is on "as is" basis, without warranty of any kind.


© Copyright Sri Lanka CERT|CC. All Rights Reserved.