CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
99.4%
On March 1, 2016, the OpenSSL Software Foundation released a security advisory detailing seven vulnerabilities and a new attack, referred to as the Decrypting RSA with Obsolete and Weakened eNcryption (DROWN) attack. A total of eight Common Vulnerabilities and Exposures (CVEs) were assigned. Of the eight CVEs, three relate to the DROWN attack. The remaining CVEs track low severity vulnerabilities.
DROWN is a cross-protocol attack that actively exploits weaknesses in SSL Version 2 (SSLv2) to decrypt passively collected Transport Layer Security (TLS) sessions. DROWN does not exploit a vulnerability in the TLS protocol or any specific implementation of the protocol.
To execute a successful DROWN attack, the attacker must identify a server that supports both SSLv2 and TLS, and uses the same RSA key pair for both protocols. The attacker must also be able to collect TLS traffic for the server.
This advisory will be updated as additional information becomes available.
This advisory is available at the following link:
Vendor | Product | Version | CPE |
---|---|---|---|
cisco | application_and_content_networking_system_software | any | cpe:2.3:a:cisco:application_and_content_networking_system_software:any:*:*:*:*:*:*:* |
cisco | unity | any | cpe:2.3:a:cisco:unity:any:*:*:*:*:*:*:* |
cisco | ios | any | cpe:2.3:o:cisco:ios:any:*:*:*:*:*:*:* |
cisco | prime_access_registrar | any | cpe:2.3:a:cisco:prime_access_registrar:any:*:*:*:*:*:*:* |
cisco | emergency_responder | any | cpe:2.3:a:cisco:emergency_responder:any:*:*:*:*:*:*:* |
cisco | unified_contact_center_hosted | any | cpe:2.3:a:cisco:unified_contact_center_hosted:any:*:*:*:*:*:*:* |
cisco | ios_xr_software | any | cpe:2.3:o:cisco:ios_xr_software:any:*:*:*:*:*:*:* |
cisco | cisco_ons_15454_system_software | any | cpe:2.3:o:cisco:cisco_ons_15454_system_software:any:*:*:*:*:*:*:* |
cisco | unity_express | any | cpe:2.3:h:cisco:unity_express:any:*:*:*:*:*:*:* |
cisco | intrusion_prevention_system | any | cpe:2.3:a:cisco:intrusion_prevention_system:any:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
99.4%