DROWN attack on TLS using servers supporting SSLv2 (CVE-2016-0800)

March 2, 2016

Summary

The OpenSSL development team published a security advisory regarding high-impact TLS/SSL vulnerabilities, which could allow an attacker to decrypt TLS sessions by using a server supporting legacy ciphers (CVE-2016-0800). [1]

Using this technique, known as DROWN, an attacker can decrypt TLS sessions between clients and hosts that support SSLv2 and EXPORT cipher suites. [2]

CVE-2016-0800 also allows for the decryption of traffic between clients and even non-vulnerable servers, if another server supporting SSLv2 and EXPORT ciphers shares the RSA keys of the non-vulnerable server.

Impact

DROWN allows attackers to break SSL encryption and read or steal sensitive communications, including but not limited to usernames and passwords, credit card numbers, emails, instant messages, and sensitive documents. Under some common scenarios, an attacker can also impersonate a secure website and intercept or change the content the user sees. [3]

Vulnerable

  • All SSL services supporting SSLv2 ciphers are potentially vulnerable.
  • more efficient variant of the DROWN attack exists against unpatched OpenSSL servers using versions that predate 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf. SSLv2 was deprecated in 1996 and is now disabled in default builds of OpenSSL, however there are estimated to be more that 11 million web and email services vulnerable to this attack due to supporting the legacy ciphers. [4]
  • Lists of servers vulnerable to this attack during the month of February 2016 have been compiled and are freely available for searching. [5]

Recommendations

  • Disable support for SSLv2 and EXPORT ciphers on all services using SSL. In addition to websites supporting HTTPS, mail servers are commonly affected.
  • Servers using OpenSSL should be upgraded to 1.0.2g or 1.0.1s, which disables SSLv2 and the export cipher suites by default.
  • Ensure that your server’s private keys are not used on any other server supporting SSLv2.

There are no practical steps that can be taken on client applications, such as web browsers, to protect them from this vulnerability. [6]

Information Security and Policy will send security notifications to campus security contacts for servers detected as vulnerable to DROWN, however we urge you to proactively check and remediate the vulnerability as described above.

References