On March 1, the world woke up to a newly discovered vulnerability in OpenSSL aptly named DROWN, a man-in-the-middle attack that stands for “Decrypting RSA with Obsolete and Weakened eNcryption.” When first discovered, an estimated 11 million Web and email servers were vulnerable to it (one-third of all servers worldwide) including some of the most visited websites in the world such as Yahoo, Alibaba, Groupon, 4shared, BuzzFeed and Samsung.
DROWN impacts an older version of transport layer security protocol called Secure Sockets Layer version 2 (SSLv2). This is the version that was widely used prior to the release of SSLv3 (which too was deprecated when the vulnerability POODLE was discovered). This vulnerability could let attackers decrypt an encrypted Web session, giving them access to information transmitted through the affected websites within hours including Personally Identifiable Information (PII), protected health information (PHI) and financial information such as bank account numbers, routing numbers and credit card numbers and the passwords to all of these accounts.
Here’s why DROWN is such a dangerous vulnerability: “We’ve been able to execute the attack against OpenSSL versions that are vulnerable to CVE-2016-0703 in under a minute using a single PC. Even for servers that do not have these particular bugs, the general variant of the attack, which works against any SSLv2 server, can be conducted in under eight hours at a total cost of $440,” according to the researchers who discovered the vulnerability.
What is SSLv2 and how does DROWN exploit it?
SSLv2 is a 20-year-old version of SSL that has been deprecated since 2011. SSLv2 already had several security vulnerabilities that allowed man-in-the-middle attacks. With DROWN, even if a server has upgraded to the latest version of SSL called TLS 1.2, it is still vulnerable if it supports SSLv2 connections.
In addition, according the OpenSSL’s blog “… it is surprisingly common for services to share keys. DROWN can target your HTTPS server even if only your email server supports SSLv2, so long as the two share the same private key. While 11 percent of HTTPS servers with browser-trusted certificates are directly vulnerable to DROWN, another whopping 11 percent fall victim through some other service (most commonly SMTP on port 25).”
DROWN attackers can decrypt sessions that occurred in the past, making it especially dangerous.
What are the next steps?
If you’ve found out that you have servers that support SSLv2, simply disable that support or, at the least, make sure your TLS-only supported servers aren’t sharing a key with any servers that support SSLv2. To check whether your server supports SSLv2 connections, use a Linux box with the binaries of OpenSSL installed. Run the following command:
[dan@bt ~]$ openssl s_client -connecthostname:443 -ssl2
CONNECTED(00000003)
7668:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:
If the details of the certificate are displayed after the above command is executed, then your server has SSLv2 enabled. Changing ssl2 to ssl3 or tsl1 in the above command will let you run the test to see if other versions of SSL are supported.
If you work for a company that must comply with the Payment Card Industry Data Security Standards (PCI-DSS), it is important to immediately turn off support, not just for SSL version 2 but also version 3 and the early version of TLS.
Disabling SSLv2 for the myriad of server software that is available can be daunting if you aren’t a server security expert. Below is a list of the most commonly used server software products and brief directions on how to disable SSLv2 support for each.
- OpenSSL: Upgrade to the latest OpenSSL 1.0.2g and 1.0.1s.
- Microsoft IIS: IIS 7 or later versions has SSLv2 disabled out of the box. If you’ve changed the default setting, reset it back so it doesn’t support SSLv2. All older versions of IIS prior to 7 should be updated to IIS 7 or a later version
- Network Security Services (NSS): Versions of NSS 3.13 and beyond have SSLv2 disabled by default. Make sure it’s still disabled. If you’re using a prior version, upgrade to NSS 3.13 or newer.
- Apache, NGINX, etc.: If the servers support it; simply disable it.
The research team that discovered the DROWN vulnerability also wrote a whitepaper that has additional useful information, found here.
Sekhar Sarukkai is a co-founder and the chief scientist at Skyhigh Networks, driving the future of innovation and technology. He has more than 20 years of experience in enterprise networking, security and cloud services development.