Palo Alto Networks Knowledgebase: DotW: SSLv2 Weak RSA Cipher Detected - DROWN vulnerability

DotW: SSLv2 Weak RSA Cipher Detected - DROWN vulnerability

Created On 09/26/18 19:13 PM - Last Updated 09/26/18 20:38 PM



Lately we've seen more activity in the community about the SSLv2 Weak RSA Cipher Detected - DROWN Vulnerability issue recently discovered.


The following discussion starter from member santonic asks if PA covers the Drown attack.


Does Palo Alto Networks detect the DROWN attack/vulnerability?  This is a common question being posted on the Live Community. The answer is both Yes and No. 


Let me explain:

Palo Alto Networks is able to detect the use of SSLv2 weak ciphers, which the DROWN attack uses. So, it does not directly detect the DROWN attack/vulnerability, but instead it simply uses the SSLv2 weak ciphers.  By blocking SSLv2 weak ciphers, you will block the DROWN attack, but you might also be blocking legitimate traffic as well.


The other good news is yes, Palo Alto Networks has had this coverage, detecting the use of SSLv2 weak ciphers, since Apps and Threats version 567, which was released 10 March 2016.


To read the release notes for this Apps and Threats version, click here:
Application and Threat Content Release Notes Version 567

You can obtain more information about this vulnerability from our Threat Vault site here:





We can see that the Palo Alto Networks Signature ID is 38924, and the Default action is alert.

You can also see the two CVEs listed:


Note: If you want to protect your network from SSLv2 Weak Cipher vulnerability, the default action is to only 'alert' and not to 'block'. If you would like to block this inside your security policy, then please follow these steps to ensure that you are protected.


Steps to block vulnerability


Step 1. Ensure that you have Apps and Threats version 567 or higher by going into the WebGUI > Device > Dynamic Updates. Under Applications and Threats, check the version installed. If you see it is downloaded, but not installed, please take time to install it to proceed, or else you will not be able to find it in the next steps.



Step 2. When you know you have version 567 or later installed, please proceed to Objects > Vulnerability Protection. Inside there, you need to click on the Vulnerability profile that you are using to protect your network.



Step 3. Click the Exceptions tab, then click 'Show all signatures' at the bottom left. Now, take the Signature ID from earlier, 38924, and click enter to display SSL Version 2 Weak RSA Cipher Detected.



 2016-04-26_vul-ssl.pngVulnerability Protection Profile screen showing the detail after you are able to search for threat ID 38924 - SSL Version 2 Weak RSA Cipher DetectedStep 4. Now click default (alert) in the action field and change from default (alert) to drop. Click OK, then commit your policy for this change to take effect.



I hope this helps you protect your network from the Drown vulnerability.


Please let us know if you have any questions or comments below.


Stay secure,
Joe Delio


  • Print
  • Copy Link

Change Language: