荣耀彩票代理

  • 热门专题

OpenSSLDROWN溺亡漏洞的检测及修复方法

作者:  发布日期:2016-03-07 20:38:15
  • YI、LOUDONGMIAOSHU: XIANZAILIUXINGDEFUWUQIHEKEHUDUANSHIYONGTLSJIAMI,SSLHETLSXIEYIBAOZHENGYONGHUSHANGWANGCHONGLANG,GOUWU,JISHITONGXINERBUBEIDISANFANGDUQUDAO。DROWN(NIWANG)LOUDONGYUNXUGONGJIZHEPOHUAIZHEIGEJIAMITIXI,TONGGUO“ZHONGJIANRENJIECHIGONGJI”DUQUHUOTOUQUMINGANTONGXIN,BAOKUOMIMA,XINYONGKAZHANGHAO,SHANGYEJIMI,JINRONGSHUJUDENG。

    二、漏洞影响:
    大部分支持SSLv2的服务器均会受到该漏洞影响,比如启用了ssl、tls加密的web服务器、邮件服务器。

    三、检测方法:
    你也可使用检测工具检查,下载地址:
    http://github.com/nimia/public_drown_scanner

    四、修复方法:
    确保你的私钥不适用于其他的支持sslv2服务,包括web,smtp,imap,pop服务等。禁止服务器端的sslv2支持。如果是Openssl,请查看OpenSSL官方给出的修复指南。
    http://www.openssl.org/blog/blog/2016/03/01/an-openssl-users-guide-to-drown/

    RUGUOSHInginxFUWUQIZHIJIEZAInginx.confPEIZHIWENJIANZHONGQUDIAOssl_protocols SSLv2DEZHICHI。

    示例:
    [root@yn_vm_dev46 public_drown_scanner]# yum install python-virtualenv

    [root@yn_vm_dev46 public_drown_scanner]# virtualenv drown
    New python executable in drown/bin/python
    Installing Setuptools……………………………………………………………………………………………………………………………………………………………………………………………………done.
    Installing Pip……………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….done.
    [root@yn_vm_dev46 public_drown_scanner]#
    [root@yn_vm_dev46 public_drown_scanner]#
    [root@yn_vm_dev46 public_drown_scanner]# cd drown/
    [root@yn_vm_dev46 drown]# ls
    bin include lib lib64
    [root@yn_vm_dev46 drown]# ./bin/activate
    -bash: ./bin/activate: Permission denied
    [root@yn_vm_dev46 drown]# . ./bin/activate
    (drown)[root@yn_vm_dev46 drown]#
    (drown)[root@yn_vm_dev46 drown]#
    荣耀彩票代理 (drown)[root@yn_vm_dev46 drown]# pip install enum pycrypto scapy pyasn1 scapy-ssl_tls

    (drown)[root@yn_vm_dev46 drown]# python /root/public_drown_scanner/scanner.py www.com 443
    Testing www.com on port 443
    www.com: Server is vulnerable, with cipher RC2_128_CBC_EXPORT40_WITH_MD5

    www.com: Server is vulnerable, with cipher RC4_128_EXPORT40_WITH_MD5

    www.com: Case 7; Symmetric key did not successfully verify on server finished message
    荣耀彩票代理 www.com: Server is NOT vulnerable with cipher RC4_128_WITH_MD5, Message: 7: no tls

    荣耀彩票代理www.com: Server is vulnerable, with cipher DES_64_CBC_WITH_MD5

    (drown)[root@yn_vm_dev46 drown]# python /root/public_drown_scanner/scanner.py www.com 443
    Testing www.com on port 443
    www.com: Case 3b; Connection reset by peer when waiting for server hello
    www.com: Server is NOT vulnerable with cipher RC2_128_CBC_EXPORT40_WITH_MD5, Message: 3b: no tls

    www.com: Case 3b; Connection reset by peer when waiting for server hello
    www.com: Server is NOT vulnerable with cipher RC4_128_EXPORT40_WITH_MD5, Message: 3b: no tls

    www.com: Case 3b; Connection reset by peer when waiting for server hello
    荣耀彩票代理 www.com: Server is NOT vulnerable with cipher RC4_128_WITH_MD5, Message: 3b: no tls

    www.com: Case 3b; Connection reset by peer when waiting for server hello
    www.com: Server is NOT vulnerable with cipher DES_64_CBC_WITH_MD5, Message: 3b: no tls

延伸阅读:

About IT165 - 广告服务 - 隐私声明 - 版权申明 - 免责条款 - 网站地图 - 网友投稿 - 联系方式
本站内容来自于互联网,仅供用于网络技术学习,学习中请遵循相关法律法规