The DROWN attack (Decrypting RSA With Obsolete and Weakened Encryption) can decrypt modern TLS sessions between a client and a server if that particular server (or another server that shares the same SSL certificate) supports SSLv2 cipher suites.
The attack is facilitated by a series of vulnerabilities in the SSLv2 implementation of OpenSSL:
- CVE-2016-0800 - allows the "General DROWN" attack
- CVE-2015-3197 - this allows using SSLv2 ciphers even if they are explicitly disabled by the server
- CVE-2016-0703 - this permits a much faster version of the attack, called "Special DROWN"
The scanner is capable of discovering all these vulnerabilities on the target services.
nature of the DROWN attack makes it more dangerous in the case where the target server is fully secure (ex. a web server that uses TLS v1.2) but another server (ex. SMTPS) from the company/organization is vulnerable because it uses SSLv2 and
the same SSL certificate as the target server. In this case, an attacker could use the vulnerable SSLv2 server to decrypt the communication of clients with the secure web server.
The OpenSSL DROWN vulnerability scanner is based on the public scanner
for DROWN, but improved in terms of speed, accuracy and multi-protocol testing capabilities.