GlobalSign Blog

14 Mar 2016

The DROWN Attack Vulnerability and Changing Your Server Configuration

DROWN stands for 'Decrypting RSA using Obsolete and Weakened Encryption'. In short what this means is that TLS connections to a large proportion of websites, mail servers and VPN's are open to an attack. SSLv2 was first released in 1995 and depreciated in 2011. It was found that 33% of all HTTPs servers and 22% of those with browser trusted certificates are vulnerable to the attack.  In a separate experiment it was found that OpenSSL, released in 1998, could also be vulnerable. By using an unpatched version of SSLv2, an attacker can decrypt a TLS ciphertext in one minute on a single CPU. This is fast enough to enable man-in-the-middle attacks against modern servers. 26% of all HTTPs servers are vulnerable to this attack. For a more detailed analysis of DROWN you can read the full paper here.

In most cases this vulnerability is simply due to server configurations not being updated. Some embedded devices that have not been updated in years are also vulnerable. OpenSSL, a free Apache toolkit for TLS and SSL protocols, provides an option to disable SSLv2 ciphersuites but unfortunately with the recent attack it was found this option did not seem to work. Luckily this has been patched in January 2016.

Because most people will not buy multiple certificates, a server will use the same RSA private key for both TLS and SSLv2 protocols meaning that any bugs from SSLv2 could easily affect the TLS. The DROWN attack uses this exact method to break encryption.

The frequent series of SSL and TLS vulnerabilities are starting to make website owners numb to the ongoing reports of security issues. There have been at least 10 well publicized security vulnerabilities over the past 5 years and the rate has increased over the past year, the latest of which is the DROWN attack.

Recent SSL/TLS Vulnerabilities and Recommended Mitigation

Date

Name

Vulnerability

Mitigation

September 2011

BEAST

TLS 1.0 and earlier protocols result in client side vulnerabilities

Use only AES-GCM suites supported only in TLS 1.2.

June 2013

CRIME

Attacker can leverage information leaked by compression to recover some plaintext

Disable TLS/SPDY compression

August 2012

BREACH

Leaks plaintext information

Disable http compression

February 2013

Lucky13

All TLS and DTLS ciphersuites which include CBC-mode encryption are potentially vulnerable

Update OpenSSL, NSS and related crypto libraries

April 2014

Heartbleed

OpenSSL bug that could be exploited to get the SSL private keys and thus compromise the security of user data

Update OpenSSL

Revoke and reissue SSL Certificates

Have users change their passwords

October 2014

POODLE

Attackers can cause server to fall back to SSLv3

Disable SSLv3, or implement TLS_FALLBACK_SCSV if you need to support older browsers

March 2015

Bar Mitzvah Attack

Exploits outdated RC4 encryption

Disable RC4

March 2015

FREAK

Clients can be downgraded from strong RSA to export grade RSA when both the browser and server are vulnerable

Disable export ciphers in server configurations

Patch OpenSSL

Users should upgrade browsers

May 2015

Logjam

Servers using Duffie-hellman key exchange are vulnerable to having their sessions downgraded to extremely week 512-bit key material

Disable DHE_EXPORT ciphers

Clients should upgrade their browsers

March 2016

DROWN

Sites that support SSLv2 and EXPORT cipher suites

Disable SSLv2 and/or update OpenSSL

It's no surprise that website administrators are growing more complacent with the vulnerabilities. The Register reports website updates to DROWN are slower than prior incidents, with only 5% of the sites making updates in the first week following the announcement. While this is harder to exploit, website operators should have well documented processes to patch their systems and make essential security updates.

While company iSIGHT Partners labelled the DROWN attack "medium-risk" and of only "moderate" threat, it is yet another recent publicized report in a long series of SSL vulnerabilities. DROWN can even apply to those companies that have removed support for SSLv2 due to an OpenSSL vulnerability (CVE-2015-3197), so just disabling SSLv2 might not be sufficient. Some server that are configured to not advertise support for SSLv2 can be tricked by clients that specially request SSLv2 due to the OpenSSL bug.

Updating Server Configurations to Safe-Guard Against Future Attacks

Use free tools

Mozilla has an SSL Configuration Generator that will generate SSL server configurations for common web servers which can be used to support Modern, Intermediate, or old browsers depending on your website visitor profile. This includes guidance on cipher suites, HTTP Strict Transport Security (HSTS), OCSP Stapling, Session resumption, HPKP Public Key Pinning, etc. which will improve the security and performance of your website. You can check your server configuration using the GlobalSign SSL Server Test to identify vulnerabilities to many of the reported incidents above.

Update to latest OpenSSL and cryptography

In addition to the server configurations you want to be sure you're using the latest OpenSSL and related crypto-libraries, so you should be tracking patches an updated on at least a weekly basis.

Update system passwords and SSL certificate keys

And lastly, you should regularly change your system passwords and update your SSL Certificates with new keys to limit the impact of future vulnerabilities.

If you are a GlobalSign customer and have any questions about how DROWN affects you then contact us today or look for more information on disabling your server configurations on our support website.

Share this Post

Subscribe to our Blog