06-03-2016, 17:57 #1
[OpenSShit] DROWN to kill off at least one-third of all HTTPS servers
Millions of OpenSSL secured websites at risk of new DROWN attack
You can find out if your site is vulnerable using the DROWN attack test site
Steven J. Vaughan-Nichols
March 1, 2016
A recently discovered OpenSSL security hole enables an ancient, long deprecated security protocol, Secure Sockets Layer (SSLv2), to be used to attack modern web sites.
An attack exploiting this, dubbed DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), is estimated to be able to kill off at least one-third of all HTTPS servers.
According to the researchers who found the flaw, that could amount to as many as 11.5 million servers.
How bad is DROWN really? Some of Alexa's leading web sites are vulnerable to DROWN-based man-in-the-middle attacks, including Yahoo, Sina, and Alibaba.
Thanks to its popularity, the open-source OpenSSL is the most obvious target for DROWNing, but it's not the only one.
Obsolete Microsoft Internet Information Services (IIS) versions 7 and earlier are vulnerable, and editions of Network Security Services (NSS), a common cryptographic library built into many server products prior to 2012's 3.13 version, are also open to attack.
You can find out if your site is vulnerable using the DROWN attack test site.
In any case, if you use OpenSSL for security and many of you do, OpenSSL 1.0.2 users should upgrade to 1.0.2g. OpenSSL 1.0.1 users should upgrade to 1.0.1s. If you're using another version move up to 1.0.2g or 1.0.1s.
With the other programs you should have long ago upgraded to newer versions of ISS and NSS. If you haven't, shame on you -- do it now.
The "good" news about DROWN is that it was uncovered by academic researchers. The bad news is that now that the vulnerability is known, you can be as sure as sure can be hackers will be attacking servers with it soon.
According to the researchers:
"We've been able to execute the attack against OpenSSL versions that are vulnerable to CVE-2016-0703 in under a minute using a single PC. Even for servers that don't have these particular bugs, the general variant of the attack, which works against any SSLv2 server, can be conducted in under 8 hours at a total cost of $440.
You may be wondering how SSLv2, which has been known to be insecure for twenty years, can be such an important attack vector. The researchers said that "merely allowing SSLv2, even if no legitimate clients ever use it, is a threat to modern servers and clients."
"It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to any server that supports SSLv2 using the same private key," they added.
Ivan Ristic, director of engineering at Qualys and head of Qualys SSL Labs, said in remarks:
"The attack is not trivial ... I recommend that you first ensure your systems are not vulnerable. Fortunately, remediation is straightforward: Disable SSL v2 on all servers you have. It's as simple as that.... but I really do mean all servers. If you've been reusing private RSA [Rivest-Shamir-Adleman] keys (even with different certificates), disabling SSL v2 on one server is not going to help if there's some other server (possibly using a different hostname, port, or even a protocol) that continues to support this old and crazy vulnerable protocol version."
Indeed, "secure" servers can also be cracked -- just because they're on the same network as servers that are vulnerable. By using the Bleichenbacher attack, private RSA keys can be decrypted. These, in turn, can be used to unlock "secure" servers that use the same private key.
Get to work patching.
Besides the OpenSSL patches, which are available as source code, other firms -- including Canonical, Red Hat, and SUSE Linux -- will all be delivering the patches shortly.
06-03-2016, 18:05 #2
DROWN Vulnerability Hits SSL/TLS, but It's No HeartbleedSean Michael Kerner
DROWN, which stands for "Decrypting RSA with Obsolete and Weakened eNcryption," is a newly disclosed vulnerability that could be exposing millions of sites to risk today.
However, the DROWN attack is specific to the legacy SSLv2 protocol, and the impact of the flaw is not nearly as widespread as the Heartbleed flaw.
Full details on DROWN, also identified as CVE-2016-0800, are disclosed in a research paper published today, co-authored by Tel-Aviv University, Münster University of Applied Sciences, Horst Görtz Institute for IT Security, Ruhr University Bochum, University of Pennsylvania, Hashcat Project, University of Michigan, OpenSSL and Google.
"The work behind today's DROWN attack announcement represents the very best of open, collaborative, international security research," Tod Beardsley, security research manager at Rapid7, told eWEEK. "Academics and professionals actively probing the edges of practical cryptanalysis is the open-source security promise."
The DROWN attack is a vulnerability that can enable an attacker to decrypt intercepted TLS connections by abusing connections to an SSLv2 server that uses the same private key. SSLv2 is an older protocol that has been outdated for more than a decade at this point and has been replaced by Transport Layer Security (TLS). SSLv3 is also outdated; in fact, the POODLE attack disclosed in 2014 proved that SSLv3 is insecure.
With both DROWN and POODLE, an attacker is abusing the fact that servers sometimes still can enable support for older protocols alongside newer ones. The DROWN attack is not specific to any one Web server or Secure Sockets Layer/Transport Layer Security (SSL/TLS) library. That said, the open-source OpenSSL cryptographic library is being updated to help mitigate and limit the risk of a DROWN attack. Microsoft Internet Information Server (IIS) users are being advised to make sure they have disabled SSLv2 by default.
There is now also an online DROWN checker to verify if a specific server is at risk. According to the DROWN attack disclosure site, 25 percent of the top 1 million domains secured by HTTPS are vulnerable to the DROWN attack.
While DROWN is significant, it's not nearly as risky as the Heartbleed attack that was first reported in April 2014.
Unlike Heartbleed, DROWN is a bug in the underlying SSLv2 protocol, Chris Czub, security research engineer at Duo Security, explained.
"Heartbleed was an implementation bug in OpenSSL's library, which would leak bits of system memory that could contain anything: private keys, user log-in credentials, etc," Czub told eWEEK. "DROWN, on the other hand, makes attacking SSLv2 connections possible, regardless of the underlying libraries, but doesn't inherently expose the memory of the server."
With DROWN, an attacker can spy on communications, such as reading email and capturing usernames and passwords, credit card numbers and instant messages, Czub said.
Although Heartbleed is a completely different beast than DROWN, and DROWN is not worse than Heartbleed due to scale, said Josh Bressers, security strategist at Red Hat.
"Heartbleed affected everything, whereas DROWN only affects SSLv2, which no one should be running at all," Bressers told eWEEK.
Given that few Web servers actually run SSLv2 by default, some Website administrators might think they aren't at risk, but that's not necessarily the case. When you have a TLS or SSL connection, the client tells the server "here's the encryption key that I want to use," Bressers said.
"In a man-in-the-middle attack, like DROWN, attackers can sniff all of these encrypted packets and then leverage that data via a flaw in SSLv2 to send the server requests that will help them decipher the full encryption key," Bressers said. "If you aren't using SSLv2 for anything, you're fine; but it's still wise for everyone to apply updates across their respective infrastructures."