To help you manage your response to the DROWN OpenSSL attack, we have provided several options to understand, automate, and control its discovery in your infrastructure:
To manually detect if a system is vulnerable, please use the script below:
The signature for this script is here.
Note: This tool is intended as a supplement to the Red Hat provided remediation steps provided in: https://access.redhat.com/security/vulnerabilities/drown
For your protection, this script has been signed with the Customer Platform Tools key (8366b0d9). Red Hat hosts the public keys for signed content at pgp.mit.edu. You can verify the authenticity of this script by executing the following commands:
$ gpg --keyserver pgp.mit.edu --recv 8366b0d9 $ gpg --verify DROWN-test.sh.asc DROWN-test.sh
gpg: Signature made Mon 23 Feb 2015 12:22:15 PM EST using RSA key ID 8366B0D9 gpg: Good signature from "Red Hat, Inc. (tools key)
" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 8B12 20FC 564E 9583 2002 05FF 7514 F77D 8366 B0D9
$ chmod +x DROWN-test.sh $ ./DROWN-test.sh
WARNING: The installed version of openssl (openssl-1.0.1e-42.el7) is vulnerable to both general and special DROWN attack and should be upgraded! See https://access.redhat.com/security/vulnerabilities/drown for more information.