栏目导航: 首页 > 漏洞预警 > 程序漏洞 > 内容

CVE-2016-0800 / THE DROWN ATTACK: 又一个“心脏滴血”漏洞

www.hx99.net    时间: 2016-03-02    阅读: 次     整理: 华西安全网

 漏洞编号 
CVE-2016-0800 

漏洞介绍 
DROWN, a new vulnerability in OpenSSL that affects servers using SSLv2, was revealed today as an attack that could decrypt your secure HTTPS communications, such as passwords or credit card numbers. More than 33 percent of servers are vulnerable — significantly less than Heartbleed, but still a surprisingly high number.
“溺水”漏洞在去年十二月份被发现,在昨天OpenSSL官方发布的3月安全公告中被公开,通过该漏洞,攻击者可以发起“中间人劫持攻击”窃取被HTTPS加密的会话内容,包括雅虎,阿里巴巴,微博,Flicker,百度,奇虎360等大型网站在内,预计全球超过33%的网站受此漏洞影响。 

DROWN_diagram.jpg 

漏洞检测 
https://drownattack.com/#check 

影响范围 
https://drownattack.com/top-sites.html 


漏洞修复 
To protect against DROWN, server operators need to ensure that their private keys are not used anywhere with server software that allows SSLv2 connections. This includes web servers, SMTP servers, IMAP and POP servers, and any other software that supports SSL/TLS. You can use the form above to check whether your server appears to be exposed to the attack.
禁用SSLv2链接,更多修复细节参考: 
https://www.openssl.org/blog/blog/2016/03/01/an-openssl-users-guide-to-drown/ 

技术文档 
https://drownattack.com/drown-attack-paper.pdf

本文来源:华西安全网[http://www.hx99.net]
发表评论】【告诉QQ好友】【错误报告】【加入收藏】【关闭