Thursday, 3 March 2016

DROWN vulnerability a risk to Irish Business



By Orla Faughnan, Ward Solutions


What is it?

DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) is a cross-protocol attack which can be used to decrypt TLS (Transport Layer Security) sessions, and potentially allow attackers to intercept sensitive communications and user data. The vulnerability was first disclosed on 1st March.

Who does it affect?

All HTTPS sites, mail servers and other network services which rely on SSL (Secure Sockets Layer) and TLS are vulnerable to attack. On the date of disclosure the research team involved in its identification used internet-wide scanning to gauge the breadth of vulnerable sites and reported that a third of all HTTPS sites were vulnerable at that time. Approximately 11.5 million servers are affected in total, and currently included on the list of known affected websites are high-traffic sites such as Yahoo, Buzzfeedand Samsung, among others.


Am I Vulnerable?

Your websites , email servers, etc. may be vulnerable if they use SSL Version 2.0 Previous to this disclosure, while allowing SSLV2 was not considered best practice; it was not considered a security risk as up to date clients didn’t use this protocol. However, in light of the recent attacks, it is recommended to immediately disable SSLV2 as it is now a threat to modern servers and clients.

The international group of researchers from universities, Google and OpenSSL who discovered the attack have stated that servers are vulnerable to DROWN if they allow SSLV2 connections, or if their private key is used on any other server that allows SSLV2 connections, even for another protocol.


For example, if an organisation uses a certificate on a web server which does not allow SSLV2 but they have an email server which allows SSLV2 that is also using the same certificate, then an attacker can utilise the email server to break TLS connections on the web server.


I’m affected, what now?

The recommendation is to disable SSLV2, paying particular attention to ensure that private keys are not used anywhere that permits SSLV2 connections. The research team behind the discovery have provided instructions on mitigation for a series of common products on their dedicated website, and Ward advises that IT managers and teams in Ireland review this and any vendor security advisories as they are published.


Further reading:

https://blog.qualys.com/securitylabs/2016/03/01/drown-abuses-ssl-v2-to-attack-rsa-keys-and-tls

http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html