The DROWN security vulnerability is a large-scale bug that is found in 33% of all web servers and exposes them to potential data theft.
DROWN Is a Severe Vulnerability
DROWN is the next major critical vulnerability that has the scale of the Heartbleed bug. It allows malicious users to break the encryption used on the web servers and steal sensitive information such as passwords, account credential and other assets. DROWN is actually an abbreviation that stands for Decrypting RSA with Obsolete and Weakened ENcryption.
According to Heimdal Security measurements 33% of all HTTPS servers are vulnerable by the attack, this ammounts to approximately 11 million web sites. This includes a lot of high-traffic locations such as Alibaba.com, Yahoo.com, Weibo.com, Dailymotion.com, Flickr.com and others. The DROWN bug allows third parties to launch Man in the Middle attacks (MiTM) that target the web servers running the sites. This attack is also effective against VPN networks and transcation operation machines.
DROWN is made by intercepting the secured TLS/SSL connection. It affects the way the HTTTPS connection is handled and allows attackers to bypass the cryptographic security. The problem lies in their configuration which still allows SSL version 2 which is an obsolete security standard. The other way DROWN exploit method is the reuse of the same certificate and key on multiple servers.
To protect against the bug server administrators need to ensure that their private cryptography keys are not used anywhere else. Server software that allows SSL v2 software should be shut down and reconfigured to support only the latest secure protocols.
Depending on the SSL implementation and web server type this may be either an easy or a difficult task to perform.
For more detailed information you can view the specialist web site that explains more information about the attack.