Is Your cPanel Server Protected Against CVE-2016-0800 (DROWN)?

Posted on March 3, 2016 by dpepper

Category: Security Bulletins | Tags: CVE-2016-0800, DROWN, OpenSSL, SSL

Reading Time: 2 minutes

Overview

A new flaw has been found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker could theoretically exploit this vulnerability to bypass RSA encryption, even when connecting via a newer protocol version, if the server also supports the older SSLv2 standard.

Impact

As a result of several similar but unrelated vulnerabilities, including POODLE, most server administrators already have removed support for SSLv2 and other weak ciphers. For instance, cPanel removed SSLv2 support on core services by default beginning with version 11.44 in 2014.

Servers running older, End-of-Life operating systems may still support SSLv2.

Test: Does Your Server Support SSLv2?

To test whether your web server supports SSLv2, you can run this command from a terminal on a Linux or Mac OS X, substituting your domain name for the example below:

openssl s_client -connect www.yourdomainname.com:443 -ssl2

If the server is not vulnerable, the output of that command should include “ssl handshake failed” as seen in the example below. Note that your output will be different, but as long as you see ssl handshake failed somewhere in the output, you’re protected:

[root@host]# openssl s_client -connect www.yourdomainname.com:443 -ssl2 CONNECTED(00000003) 95090:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s2_pkt.c:427:

You can test SSLv2 support on other services by substituting the secure http port (443 in the command above), with the appropriate port for the service you’re testing (note that these are the default ports; if you’ve changed the port a service runs on, you’ll want to use that value):

WHM: 2087
cPanel: 2083
Secure SMTP (Exim): 465
Secure IMAP: 993
Secure POP3: 995
Secure Webmail: 2096
Secure WebDisk: 2078

If you’re using a different operating system or are otherwise unable to check the server directly, you also may visit a test site such as drownattack.com and enter your site’s URL into the test field.

If your server fails any of the tests listed above and you’re not able to update cPanel to the latest version, feel free to contact Heroic Support® for assistance.