DROWN patches available for SUSE Linux Enterprise

Earlier today a security vulnerability known as “DROWN” was announced.  SUSE was on top of it and already has patches available for SUSE Linux Enterprise.

What is “DROWN”?

“DROWN” is an acronym that stands for “Decrypting RSA using Obsolete and Weakened eNcryption”.  Also known as CVE-2016-0800.

It allows an attacker to decrypt a TLS connection between the client and server by sending probes to the server — so long as that server supports SSLv2 using the same private key.

Is my system vulnerable?

Due to the wide-spread usage of SSLv2, across the Internet, the DROWN vulnerability can impact a large number of servers.   If you’re server uses both TLS and SSLv2, it may be vulnerable.

How do I fix this vulnerability?

This vulnerability can be avoided by disabling the SSLv2 protocol in all of the SSL/TLS servers.

SUSE has release a patch that will disable SSLv2 protocol altogether, by default, as well as disabling all EXPORT ciphers — thus securing the vulnerability.  The patch also checks environment variables to allow customers to unbreak applications that need SSLv2.

Those patches are available for the following systems:

SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
SUSE Linux Enterprise Server 12 Service Pack 1
SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
SUSE Linux Enterprise Server 11 Service Pack 3 LTSS (SLES 11 SP3 LTSS)
SUSE Linux Enterprise Server 11 Service Pack 2 LTSS (SLES 11 SP2 LTSS)