How about the DROWN attack

[RvdM]

Hi all,

Today i've performed a vulnerability check on my domain and found that my directadmin setup is vulnerable for the DROWN vulnerability. Any news on how to setup directadmin to prevent this or is a openssl update with the most recent version enough to eliminate the risk.

Regards,
RvM

 

[ricardo777]

Same here.

Result of Drown tesT:

IP:25
supports SSLv2 export ciphers
IP:587
supports SSLv2 export ciphers

I have checked the Exim and Dovecot SSL but they are the same as: http://help.directadmin.com/item.php?id=571

I have also rebuild and restarted the services but still I am vulnerable.

The other DA servers are the same.

 

[Richard G]

Which test did you use?

I used this one:
https://test.drownattack.com/
and all my DA servers came up not vulnerable.

 

[SupermanInNY]

are you entering IP address or Name.
I get different results when entering IP address than entering a name of a domain.
Names show "all is good".
IPs are showing "found issues".

 

[Richard G]

Double check what the "found issues" are.
If I use a domain name, all is well, only my server is checked.
When I use an ip, it looks like a lot of ip's are being checked, but mine is not in between them.
For example, my ip is 46.xx.xx.xx and this is part of the results:

Port 25
SMTP
The key is exposed on other vulnerable servers or ports:
5.2.81.212:465
vulnerable to CVE-2016-0703
5.2.81.226:465
vulnerable to CVE-2016-0703

And a whole bunch of other ip's like 64.xx.xx.xx, 84.xx.xx.xx and so on, but my server ip is not amongst them.
So the result is in fact the same, not vulnarable, the only change is that I see results, but they don't belong to my ip.

 

[sysdev]

That's nog how the drown attack works.

You might want to catch up on this: https://blog.qualys.com/securitylabs/2016/03/04/ssl-labs-drown-test-implementation-details