OpenSSL - Drown Vulnerability

Summary

Drown is a cross-protocol attack on TLS using SSLv2 (CVE-2016-0800). Modern servers and clients use the TLS encryption protocol.
However, due to misconfigurations, many servers also still support SSLv2 (deprecated since 2011), an old predecessor of TLS. This support did not matter in practice, since no up-to-date clients actually use SSLv2.
Therefore, even though SSLv2 is known to be badly insecure, until now, merely supporting SSLv2 was not considered a security problem, because clients never used it.

DROWN shows that merely supporting SSLv2 is a threat to modern servers and clients. It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.

Recovering one session key requires the attacker to perform approximately 2^50 computation, as well as thousands of connections to the affected server.
A more efficient variant of the DROWN attack exists against unpatched OpenSSL servers using versions that predate 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf released on 19 March 2015 (see CVE-2016-0703).

Mitigation

A server is vulnerable to DROWN if:

  • It allows SSLv2 connections.
  • Its private key is used on any other server that allows SSLv2 connections, even for another protocol

Network administrators can determine if a server supports SSLv2 with the following command:

openssl s_client -connect host:443 -ssl2

If certificate information is returned, then SSLv2 is supported.

Solutions

Always disable SSLv2

As seen, even if not used, SSLv2 can be a treat. So, you must always disable SSLv2 (disabled by default with the last update of OpenSSL).

Do not reuse SSL certificates or key material

This issue can be mitigated on TLS connections by using unique SSL keys and certificates. If possible, do not reuse key material or certificates between SSLv2 and TLS support on multiple servers.

Monitor network and use firewall rules

We recommend enabling firewall rules to block SSLv2 traffic. Since the attack requires approximately 1000 SSL handshakes, network administrators may also monitor logs to look for repeated connection attempts. However, this data may also be obtained via man-in-the-middle or other attacks, not solely from direct connections.

Upgrade your OpenSSL package to the lastest version (01 march 2016)

  • OpenSSL 1.0.2 users should upgrade to 1.0.2g
  • OpenSSL 1.0.1 users should upgrade to 1.0.1s
  • Older OpenSSL users should upgrade to 1.0.1s or 1.0.2g

External references