DROWN attack breaks TLS encryption, one-third of all HTTPS servers vulnerable

There’s a new attack that breaks the communication encryption provided by SSL and TLS and can therefore lead to theft of extremely sensitive data exchanged between users and a vulnerable server.

It has been dubbed DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) by the group researchers who discovered it, and the stems from the fact that many servers out there still support SSLv2, the extremely old and insecure predecessor to TLS.

DROWN attack

“In technical terms, DROWN is a new form of cross-protocol Bleichenbacher padding oracle attack. It allows an attacker to decrypt intercepted TLS connections by making specially crafted connections to an SSLv2 server that uses the same private key,” the researchers explained.

What’s even worse, this attack does not require much money or time to be performed. “Running the computations for the full attack on Amazon EC2 costs about $440,” they found, and can be executed in under 8 hours.

And, if the server is also vulnerable to two OpenSSL bugs that affect older versions of the popular open-source crypto library, the attack can be executed for even less money and in considerably less time: “In this special case, the attacker can craft his probe messages so that he immediately learns whether they had the right form without any large computation. In this case, the attacker needs about 17,000 probe connections in total to obtain the key for one out of 260 TLS connections from the victim, and the computation takes under a minute on a fast PC.”

This makes it ideal to perform man-in-the-middle attacks between client and server.

The researchers have probed servers across the world, and believe that 33 percent of all HTTPS servers, and 25 percent of the top one million domains are vulnerable to the DROWN attack.

There’s nothing end users can do to protect themselves against DROWN attacks – it’s on server administrators to plug the hole. The researchers have offered a tool that admins can use to check whether their servers are vulnerable.

There are two instances in which a server is vulnerable: either it allows SSLv2 connections, or its private key is used on any other server that allows SSLv2 connections. “Many companies reuse the same certificate and key on their web and email servers, for instance,” the researchers pointed out.

The solution for this problem is simple: disable SSLv2 support. In practice, and depending on the software installed, the process can be a bit more complicated, but luckily the researchers have provided instructions for the most in-use variants (Microsoft IIS, Apache, Postfix, Nginx, and servers that use the Network Security Services and OpenSSL crypto libraries).

“If you’ve been reusing private RSA keys (even with different certificates), disabling SSL v2 on one server is not going to help if there’s some other server (possibly using a different hostname, port, or even a protocol) that continues to support this old and crazy-vulnerable protocol version,” pointed out Ivan Ristic, Director of Engineering at Qualys and SSL Labs project developer.

“The best attack variant is against servers that use a vulnerable version of OpenSSL. The recent versions of OpenSSL are not vulnerable because the exploited flaw had been patched (without knowing) in March 2015. But, if the conditions are right, the same SSL v2 flaw can be used for real-time MITM attacks and even against servers that don’t support the RSA key exchange at all,” he added.

He, like the researchers that discovered the attack, made sure to note that obsolete cryptography is dangerous.

“For many years the argument for not disabling SSL v2 was that there was no harm because no browsers used it anyway,” he says. “We heard the same thing before learning about Logjam, and also before FREAK. This approach is obviously not working. Instead, in the future we must ensure that all obsolete crypto is aggressively removed from all systems. If it’s not, it’s going to come back to bite us, sooner or later.”

“The U.S. government deliberate weakened three kinds of cryptographic primitives: RSA encryption, Diffie-Hellman key exchange, and symmetric ciphers. FREAK exploited export-grade RSA, and Logjam exploited export-grade Diffie-Hellman. Now, DROWN exploits export-grade symmetric ciphers, demonstrating that all three kinds of deliberately weakened crypto have come to put the security of the Internet at risk decades later,” the researchers noted.

There is no indication that the attack has been performed in the wild before it was disclosed on Tuesday. The researchers won’t be releasing the attack code they used, but you can be sure that enterprising attackers will come up with their own pretty soon.

Admins are advised to check their servers as soon as possible and to implement the solutions/mitigations if needed.

“From the system administration perspective, this bug demonstrates the importance of holistic security assessment: it’s not enough to just make sure that your web server is secure while leaving other components (like mail servers) with outdated and insecure configurations,” commented Kyle Lady, R&D, Duo Labs. “Sysadmins should also keep keep an eye on the software/cryptography community’s assessment of which options are considered to be a best practice. SSLv2 was officially deprecated in 2011, so there really shouldn’t be any servers that are willing to use it anyway, except for the fact that server software often ships with the most permissive cryptography settings for the sake of compatibility.”

“From the software developer perspective, this bug underscores the value of auditing not just new code but old code as well. Many recent OpenSSL vulnerabilities have been found in code that’s been shipping for quite a few years, and the bugs just haven’t been noticed. Additionally, new functionality in a program can open up a path for an attacker to exploit previously hidden bugs in old code,” he concluded.

More technical details about the DROWN attack can be found in this paper.

Don't miss