Report: 3.5 Million HTTPS Servers Vulnerable to DROWN
A report released Tuesday on the DROWN vulnerability raises concerns about possible attacks that could expose encrypted communications.
DROWN, which stands for "Decrypting RSA with Obsolete and Weakened eNcryption," is a serious vulnerability that affects HTTPS and other services using SSL version 2, according to the team of security researchers who compiled the report.
The protocols affected are some of the essential cryptographic protocols for Internet security. An attack could decrypt secure HTTPS communications, such as passwords or credit card numbers, within minutes.
More than 3.5 million HTTPS servers are vulnerable, researchers estimate. Victims could include anyone on the Internet browsing the Web, using email, shopping or sending instant messages. An attacker could strip encryption from the connection, allowing third parties to read the communication.
"The attack is not trivial [and] can be done cheaply against high-value targets," said Ivan Ristic, director of engineering at Qualys.
Risky for Business
The attack is an extension of the 1998 Bleichenbacher attack that can be used to decrypt a ciphertext when a padding oracle exists, he told LinuxInsider. One out of every 1,000 full TLS handshakes can be decrypted, compromising the entire TLS session.
Thirty-eight percent of all HTTPS servers and 22 percent of those with browser-trusted certificates are vulnerable to the protocol-level attack, researchers found. They credit that to widespread key and certificate reuse.
About one-quarter of the top million sites listed by Alexa are vulnerable to breaking TLS through attacking SSLv2. The attackers can gain any communication between users and the server, according to researchers.
That information can include usernames and passwords, credit card numbers, emails, instant messages and sensitive documents. Under some common scenarios, an attacker also can impersonate a secure website and intercept or change the content the user sees, report author Nimrod Aviram, an engineering faculty member at Tel Aviv University, told LinuxInsider.
"Considering almost all servers on the Internet could be impacted by this attack, I would say this threat is considerably widespread or severe," said Alex Pezold, CEO of TokenEx.
The data at risk is very sensitive, and the threat should be taken seriously, he told LinuxInsider. Companies should test their environments for exposure so they can remediate as quickly as possible.
Dealing With It
DROWN is a serious attack, but it can be prevented quite easily using measures that were recommended to server operators and system administrators a long time ago, according to Yehuda Lindell, chief scientist at Dyadic. That involves disabling SSLv2 and even SSL v3.
"DROWN can be prevented by configuring the server to not ever support SSLv2. Thus, it does not require updating the server software -- like in Heartbleed -- and can be prevented by configuration only," he told LinuxInsider.
The proper response to the attack is to disable SSLv2 everywhere, which can be complicated, and to also ensure that your private keys are not shared with any servers that use SSLv2, noted Rob Sobers, director in the strategy and market development group at Varonis.
"One very important nuance about this attack is that if you have even one forgotten service running SSLv2 that you have not updated or disabled, it can put your up-to-date systems that use other protocols like TLS at risk if you have shared RSA keys between them," he told LinuxInsider.
The threat is highly severe because it undermines the confidentiality of communication based on TLS/SSL encrypted protocols, such as HTTPS, which is used frequently in e-commerce websites. Sites can avoid the issue by disabling the SSLv2 protocol in all their SSL/TLS servers, including HTTP, IMAP, POP and SMTP servers, according to Michelangelo Sidagni, CTO at NopSec.
"Servers that have not disabled the SSLv2 protocol and are not patched for CVE-2015-3197 are vulnerable to DROWN even if all SSLv2 ciphers are nominally disabled, because malicious clients can force the use of SSLv2 with EXPORT ciphers," he told LinuxInsider.
OpenSSL is the most vulnerable and common library in version 1.0.2g, and SSLv2 is disabled by default at built-time as a mitigation strategy, Sidagni said.
SSLv2 goes back to 1995. It had several flaws, which was the main reason SSLv3 was released in 1996. However, SSLv2 and SSLv3 were deprecated in 2011 and 2015 and should be disabled, regardless of the DROWN vulnerability, according to Dodi Glenn, vice president of cybersecurity at PC Pitstop.
"The fix is fairly easy to implement. Disable support for SSLv2. The SSLv2 threat is severe, since it not is often enabled automatically, but because it allows a hacker to intrude on secure data," he told LinuxInsider.
Individual computer users are at the mercy of those who run servers and websites. They can't do anything on their end to prevent becoming victims, noted report co-author Aviram.
"There is nothing practical that Web browsers or other client software can do to prevent DROWN,"," he said. "Only server operators are able to take action to protect against the attack."