Drown attack could break TLS for third of websites

A new vulnerability could kill a certain kind of encryption for plenty of websites. An OpenSSL update has been rushed out to fix major flaw.

TLS certificates are vulnerable to the drown attack
TLS certificates are vulnerable to the drown attack

Security researchers have unearthed a hack that could compromise encrypted internet traffic in just hours.

Dubbed DROWN (Decrypting RSA with Obsolete and Weakened Encryption), the flaw is found in many web servers that still support an old, insecure SSL (Secure Sockets Layer) version 2 protocol. This was succeeded by SSLv3 as far back as 1996 and was officially deprecated in 2011. SSL itself was replaced by TLS (Transport Layer Security) versions 1.0, 1.1 and 1.2.

Despite its lack of use among modern browsers, researchers said just supporting it could cause problems.

In a recently published research paper, it was demonstrated that if an HTTPS server supports SSLv2, a hacker can exploit this to decrypt intercepted connections from clients even if those connections are using the most secure, up-to-date version of the TLS protocol.

“Given an unpatched SSLv2 server to use as an oracle, we can decrypt a TLS ciphertext in one minute on a single CPU—fast enough to enable man-in-the-middle attacks against modern browsers. 26 [percent] of HTTPS servers are vulnerable to this attack,” the researchers said.

“We conclude that SSLv2 is not only weak, but actively harmful to the TLS ecosystem.”

While the attack has a number of prerequisites, there is a good chance that hackers could have used the flaw. The web server running HTTPS needs to either support SSLv2 itself or to share its private key with another server that does.

In making constant SSLv2 connection requests, the researchers showed that they could discover information about the server's private RSA key. With enough requests, they were able to get the private key to decode the TLS sessions.

It is thought that around a third of servers still support this insecure technology. SSLv2 can often be accidentally enabled when setting up a new server, which is why the issue is major. The researchers blamed its existence on the stance the US government took with regards to weakened cryptography in the 1990s.

A new version of OpenSSL has been released which disables SSLv2. The update also patches a number of other minor bugs, such as (CVE 2016-0705) that could lead to a denial-of-service attack or memory corruption for applications receiving DSA private keys from untrusted sources and a a side channel attack that makes use of cache-bank conflicts on the Intel Sandy-Bridge microarchitecture (CVE 2016-0702), to name but a couple.

Randy Kilmon, vice president of engineering at Black Duck, told SCMagazineUK.com that the vulnerability is the latest on a very long list of security holes associated with the SSL2.0 protocol.

“SSL is NOT an encryption format, rather, it's a protocol for negotiating the type of encryption used to establish a secure connection over the network. Through this process, client and server will ‘agree' to a mutually supportable encryption cypher,” he said.

Brendan Rizzo, technical director, EMEA at HPE Security Data Security, told SC that once the full extent of this vulnerability are determined, administrators will quickly move into triage mode - addressing the problems that are most obvious and most under public scrutiny.  “Attackers, on the other hand, generally avoid the 'front door' and will be shifting their focus to secondary attack vectors,” he said

“Companies will need to shore up all possible attack vectors of this vulnerability.  This can only happen once organisations have performed a thorough assessment to uncover everywhere they are using the vulnerable protocols and code in their applications and servers,” he added.

Craig Young, security researcher at Tripwire, told SC that the continued use of obsolete cryptography tools needs to stop.

“Earlier this year we learned how the SLOTH attack could compromise privacy of TLS, VPN, and SSH services when the obsolete SHA-1 or MD5 hashing algorithms were used.  Now we are seeing a practical attack capable of extracting private keys out of servers running the completely broken SSLv2 protocol,” he said.

“I would highly recommend that all server administrators perform scans of all services on their servers to check for the availability of SSLv2 as this problem is not just limited to HTTPS sites but can also pop up on mail or other servers using SSL,” said Young.