What is a DROWN attack? Potentially one-third of all secure Web servers affected.
Websites that use secure encryption (SSL or HTTPS) to protect their traffic might be vulnerable to a new attack, known as DROWN, after researchers have discovered a way to disable the encryption. It is reported that up to 33% of websites that use secure encryption may be at risk. But what is a DROWN attack and what does it mean to you, and what should Website owners do about it?
Today, we have a guest article by Orla Faughnan of Ward Solutions to help shed some light on DROWN and it's effects.
What is it?
DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) is a cross-protocol attack which can be used to decrypt TLS (Transport Layer Security) sessions, and potentially allow attackers to intercept sensitive communications and user data. The vulnerability was first disclosed on 1st March.
Who does it affect?
All HTTPS sites, mail servers and other network services which rely on SSL (Secure Sockets Layer) and TLS are vulnerable to attack. On the date of disclosure the research team involved in its identification used internet-wide scanning to gauge the breadth of vulnerable sites and reported that a third of all HTTPS sites were vulnerable at that time. Approximately 11.5 million servers are affected in total, and currently included on the list of known affected websites are high-traffic sites such as Yahoo, Buzzfeed and Samsung, among others.
Am I Vulnerable?
Your websites , email servers, etc. may be vulnerable if they use SSL Version 2.0 Previous to this disclosure, while allowing SSLV2 was not considered best practice; it was not considered a security risk as up to date clients didn’t use this protocol. However, in light of the recent attacks, it is recommended to immediately disable SSLV2 as it is now a threat to modern servers and clients.
The international group of researchers from universities, Google and OpenSSL who discovered the attack have stated that servers are vulnerable to DROWN if they allow SSLV2 connections, or if their private key is used on any other server that allows SSLV2 connections, even for another protocol.
For example, if an organisation uses a certificate on a web server which does not allow SSLV2 but they have an email server which allows SSLV2 that is also using the same certificate, then an attacker can utilise the email server to break TLS connections on the web server.
I’m affected, what now?
The recommendation is to disable SSLV2, paying particular attention to ensure that private keys are not used anywhere that permits SSLV2 connections. The research team behind the discovery have provided instructions on mitigation for a series of common products on their dedicated website, and IT managers and teams in Ireland are advised to review this and any vendor security advisories as they are published.
Orla Faughnan has several years experience with Ward Solutions, one of Ireland's largest Information Security Providers, supporting customers ranging from technology, business, governement and semi-state companies.
Ward provide security and risk management solutions, via a comprehensive range of information security services centred on assessment and assurance, strategy and architecture, through to systems integration and deployment.
Cryptography Engineering: Attack of the Week - Drown
Source: Ward Solutions