Millions of OpenSSL secured websites at risk of new DROWN attack
A recently discovered OpenSSL security hole enables an ancient, long deprecated security protocol, Secure Sockets Layer (SSLv2), to be used to attack modern web sites.
An attack exploiting this, dubbed DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), is estimated to be able to kill off at least one-third of all HTTPS servers.
According to the researchers who found the flaw, that could amount to as many as 11.5 million servers.
How bad is DROWN really? Some of Alexa's leading web sites are vulnerable to DROWN-based man-in-the-middle attacks, including Yahoo, Sina, and Alibaba.
Thanks to its popularity, the open-source OpenSSL is the most obvious target for DROWNing, but it's not the only one.
Security
Obsolete Microsoft Internet Information Services (IIS) versions 7 and earlier are vulnerable, and editions of Network Security Services (NSS), a common cryptographic library built into many server products prior to 2012's 3.13 version, are also open to attack.
You can find out if your site is vulnerable using the DROWN attack test site.
In any case, if you use OpenSSL for security and many of you do, OpenSSL 1.0.2 users should upgrade to 1.0.2g. OpenSSL 1.0.1 users should upgrade to 1.0.1s. If you're using another version move up to 1.0.2g or 1.0.1s.
With the other programs you should have long ago upgraded to newer versions of ISS and NSS. If you haven't, shame on you -- do it now.
The "good" news about DROWN is that it was uncovered by academic researchers. The bad news is that now that the vulnerability is known, you can be as sure as sure can be hackers will be attacking servers with it soon.
According to the researchers:
"We've been able to execute the attack against OpenSSL versions that are vulnerable to CVE-2016-0703 in under a minute using a single PC. Even for servers that don't have these particular bugs, the general variant of the attack, which works against any SSLv2 server, can be conducted in under 8 hours at a total cost of $440."
You may be wondering how SSLv2, which has been known to be insecure for twenty years, can be such an important attack vector. The researchers said that "merely allowing SSLv2, even if no legitimate clients ever use it, is a threat to modern servers and clients."
"It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to any server that supports SSLv2 using the same private key," they added.
Ivan Ristic, director of engineering at Qualys and head of Qualys SSL Labs, said in remarks:
"The attack is not trivial ... I recommend that you first ensure your systems are not vulnerable. Fortunately, remediation is straightforward: Disable SSL v2 on all servers you have. It's as simple as that.... but I really do mean all servers. If you've been reusing private RSA [Rivest-Shamir-Adleman] keys (even with different certificates), disabling SSL v2 on one server is not going to help if there's some other server (possibly using a different hostname, port, or even a protocol) that continues to support this old and crazy vulnerable protocol version."
Indeed, "secure" servers can also be cracked -- just because they're on the same network as servers that are vulnerable. By using the Bleichenbacher attack, private RSA keys can be decrypted. These, in turn, can be used to unlock "secure" servers that use the same private key.
Get to work patching.
Besides the OpenSSL patches, which are available as source code, other firms -- including Canonical, Red Hat, and SUSE Linux -- will all be delivering the patches shortly.
Related stories: