This is to bring your attention that a recently announced important vulnerability called DROWN, which affects Apache and IIS web server and products using OpenSSL. Successful attack would result in decryption of SSL connection between client and server and hence possible disclosure of sensitive data like username and password. The attack is based on the support of a legacy SSL protocol called SSLv2 on server. You are invited to take this chance to review and harden your servers by disabling outdated network protocols.
Microsoft IIS server also has SSLv2/v3 protocol enabled by default.
To mitigate the risk and improve server security, ITSO recommends :
- Apply security updates, include the DROWN updates, to your servers on a timely manner
- Disable SSLv2 on your server
- Disable SSLv3 on your server unless it must have to support very old clients, e.g. IE 6 on Windows XP.
Below are some resources for your reference:
The Drown Attack (with a DROWN scanner but result is only updated monthly or so)
Patches for Redhat Linux
https://access.redhat.com/security/vulnerabilities/drown
Microsoft IIS - Disable SSL 2.0 and SSL 3.0
https://www.kinamo.be/en/support/faq/disable-ssl-2-0-and-ssl-3-0-on-microsoft-iis
How to disable SSLv2 / SSLv3 on web servers
http://disablessl3.com/#apache
Check for SSLv2/v3 support on your server
https://www.digicert.com/help/
SSL Server Test ( comprehensive real-time tests but DROWN test not included yet )
https://www.ssllabs.com/ssltest/