New HTTPS Flaw: “DROWN” Attack
The OpenSSL project recently released a new update to address a critical vulnerability (CVE-2016-0800) dubbed “DROWN” which stands for “Decrypting RSA using Obsolete and Weakened eNcryption”.
From the OpenSSL security advisory:
“A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP) shares the RSA keys of the non-vulnerable server. This vulnerability is known as DROWN (CVE-2016-0800).”
In a nutshell, the DROWN attack relies on servers that support SSLv2. The first version of the attack relies on servers that support both SSLv2 and TLS. The second version relies on SSLv2 servers and TLS servers that both share the same keypair. The second version means that an SSLv2 server could be used to decrypt the TLS server’s traffic.
This vulnerability could easily be mitigated by disabling SSLv2 and never reusing keypairs across servers. “But if it’s so easy to mitigate, why is it such a big deal?”, one might ask. According to the DROWN website (which is ironically behind CloudFlare who is in a position to MITM SSL traffic), the vulnerability affects 33% of all HTTPS servers on the internet, including Yahoo, BuzzFeed, and HostGator.
Although CVE-2016-0800 is the CVE assigned to DROWN, there are other CVEs that make DROWN even worse, as the website explains:
“The DROWN attack itself was assigned CVE-2016-0800. DROWN is made worse by two additional OpenSSL implementation vulnerabilities. CVE-2015-3197, which affected OpenSSL versions prior to 1.0.2f and 1.0.1r, allows a DROWN attacker to connect to the server with disabled SSLv2 ciphersuites, provided that support for SSLv2 itself is enabled. CVE-2016-0703, which affected OpenSSL versions prior to 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf, greatly reduces the time and cost of carrying out the DROWN attack.”
The US government is largely responsible for this vulnerability due it restricting the export of strong cryptography up until the end of the 1990s. The DROWN website explains:
“The U.S. government deliberately weakened three kinds of cryptographic primitives: RSA encryption, Diffie-Hellman key exchange, and symmetric ciphers. FREAK exploited export-grade RSA, and Logjam exploited export-grade Diffie-Hellman. Now, DROWN exploits export-grade symmetric ciphers, demonstrating that all three kinds of deliberately weakened crypto have come to put the security of the Internet at risk decades later.”
The system administrators are also to blame for not disabling a protocol that has been known to be weak and vulnerable for over a decade.
The security researchers have said “We’ve been able to execute the attack against OpenSSL versions that are vulnerable to CVE-2016-0703 in under a minute using a single PC. Even for servers that do not have these particular bugs, the general variant of the attack, which works against any SSLv2 server, can be conducted in under 8 hours at a total cost of $440.”
Not only is traffic decryption possible, MITM attacks are possible as well according to the technical paper
Configuring your browser to reject SSLv2 will only prevent the first version of this attack, the second version can still be carried out.