DROWN attack: TLS under fire again

[sleed]

A team of security researchers last week issued a report on DROWN, a new and troubling flaw in the long-reviled SSLv2 protocol. The DROWN attack, which stands for Decrypting RSA with Obsolete and Weakened eNcryption, can "decrypt passively collected TLS sessions from up-to-date clients," according to the report.

Although modern browsers no longer support SSLv2, the researchers found that as many as 6 million HTTPS servers, or 17% of those scanned, still supported it. Using a technique known as a Bleichenbacher RSA padding oracle, the researchers demonstrated the ability to "decrypt a TLS 1.2 handshake, using 2048-bit RSA in under 8 hours using Amazon [Elastic Compute Cloud], at a cost of $440." However, when paired with a newly discovered vulnerability in versions of OpenSSL from 1998 to early 2015, the researchers reported they were able to "decrypt a TLS ciphertext in one minute on a single CPU -- fast enough to enable man-in-the-middle attacks against modern browsers."

In total, the research report stated that 33% of all HTTPS servers are vulnerable to the DROWN attack, because even those servers that don't directly offer SSLv2 share their RSA keys with other entities that do offer it, which would expose those keys.

The researchers stated they were "able to execute the DROWN attack against OpenSSL versions that are vulnerable to CVE-2016-0703 in under a minute using a single PC." The only mitigation, they said, is to disable the use of SSLv2 entirely. "To protect against DROWN, server operators need to ensure that their private keys are not used anywhere with server software that allows SSLv2 connections," the report stated. "This includes Web servers, SMTP servers, IMAP and POP servers, and any other software that supports SSL/TLS." DROWN has been assigned CVE-2016-0800, and in the latest update to OpenSSL, the SSLv2 protocol is being disabled by default, and SSLv2 EXPORT ciphers are being removed to protect against a DROWN attack.

 

Source