Reports are starting to appear of a new OpenSSL vulnerability that already has a name – DROWN. It affects servers using SSLv2, and was revealed today as an attack that could decrypt your secure HTTPS communications, such as passwords or credit card numbers in a matter of hours or immediately.
More than 33% of servers are vulnerable – significantly less than Heartbleed, but still a surprisingly high number, affecting more than 11 million websites and email servers protected by the transport layer security protocol.
More than 81,000 of the top 1 million most popular Web properties are among the HTTPS-protected sites vulnerable to the low-cost attack.
According to the DROWN attack website, it can take under a minute for the exploit to take hold, and may be actively used now that it's been disclosed.
To defend against the attack, researchers advise you should ensure SSLv2 is disabled, or make sure that their private keys are not used anywhere with server software that allows SSLv2 connections.
This includes web servers, SMTP servers, IMAP and POP servers, and any other software that supports SSL/TLS. Those vulnerable don’t need to re-issue certificates, but should take action to prevent the attack immediately.
The DROWN website provides a form to check whether your server is exposed.
'With DROWN, a rather significant portion of the web (mail servers, VPNs, etc.) are open to an attack that, while tricky to execute, can decrypt a securely encrypted connection,' says Rob Sobers, director at threat protection firm Varonis. 'Researchers estimate more than 3.5 million HTTPS servers are vulnerable.'
'Upon reading the details of the attack, you might be tempted to think, 'None of my important servers run SSLv2, so I’m safe.' Not true! One very important nuance about this attack is that if you have even one forgotten service running SSLv2 that you haven’t updated or disabled, it can put your up-to-date systems that use other protocols like TLS at risk if you’ve shared RSA keys between them.'
As Sobers explains, DROWN is a cross-protocol attack – in simple terms, an attacker can take encrypted messages from a perfectly patched TLS server and use your vulnerable SSLv2 server to decrypt them.
'The proper response to this attack,' he says, 'is to not only disable SSLv2 everywhere (which can be complicated) but to also ensure that your private keys aren’t shared with any servers that use SSLv2.'
Craig Young, security researcher at Tripwire, argues that the latest alert reinforces the need to discontinue the use of obsolete cryptography tools for good.
Earlier this year we learned how the SLOTH attack could compromise privacy of TLS, VPN, and SSH services when the obsolete SHA-1 or MD5 hashing algorithms were used, and now we are seeing a practical attack capable of extracting private keys out of servers running the completely broken SSLv2 protocol.
Security professionals have long since been advocating that SSLv2 should not be used anywhere and the payment card industry has banned its use.
'OpenSSL is partly to blame for this as a flaw was recently patched showing how SSLv2 could still be accessible to an attacker even when all SSLv2 ciphers were disabled,' says Young. 'The team patched that issue with a low severity advisory back in January and has now released a subsequent patch to fully disable SSLv2 by default.'
'I would highly recommend that all server administrators perform scans of all services on their servers to check for the availability of SSLv2 as this problem is not just limited to HTTPS sites but can also pop up on mail or other servers using SSL.'
The attack in question involves an attacker repeatedly establishing SSLv2 sessions with a server and in the process leaking bits from the server’s private key due to problems in the protocol.
Attackers would only need to make thousands of SSLv2 connections to the server as well as performing a reasonable amount of offline computation to fully extract the server key and start decrypting other sessions to the server, warns Young.
'Naturally the decryption of other sessions requires that the attacker has some access to the network pipe but this is increasingly easy in an era where so many mobile devices have open wireless profiles,' he explains. 'Administrators should also keep an eye open for floods of connections which may be indicative of someone attempting to perform a DROWN attack on their server.'