SSLv2 DROWN Attack Details:
The Secure Socket Layer version 2 (SSLv2) Decrypting RSA with Obsolete and Weakened eNcryption (DROWN) attack has generated a lot of buzz within the cyber security and IT community recently. This is due to the fact that there are a plethora of servers which utilize SSLv2, and are potentially vulnerable to attack. Organizations of all kinds should be aware of this vulnerability, and take appropriate action to mitigate the underlying risk.
The DROWN attack methodology allows attackers to decrypt cipher text (encrypted data) by initiating crafted connections to vulnerable servers that are configured to allow SSLv2, and is a variant of the cross-protocol Bleichenbacher padding oracle attack.
Researchers have successfully carried out the the DROWN attack methodology utilizing computational resources from Amazon EC2 for approximately $440 U.S. Dollars. This is relatively cheap if the value of the encrypted information is high. For example, if attackers are intent on stealing information that they can sell for a much higher price, the $440 cost is of minimal concern.
These attacks can allow data leakage in two different ways. The first approach is made possible by accumulating SSLv2 handshake data, and then using it to decrypt RSA-based sessions. The second approach is much easier, made possible by leveraging an OpenSSL vulnerability which allows the attackers to carry out attacks by crafting probe messages to instantaneously obtain confirmation that the attacker’s modified cipher text is validly formed.
Such attacks are made possible by taking advantage of the SSLv2 protocol, which is fundamentally flawed. Successful attacks may result in loss of confidentiality by providing plaintext visibility of encrypted traffic. This is an egregious sleight against cyber security, having the potential to leak sensitive information.
Although most contemporary servers and clients use Transport Layer Security (TLS), various servers have vulnerable configurations because they support SSLv2 even when they also support TLS. This cross-protocol attack was assigned a severity of high according to CVE-2016-0800, and is capable of decrypting TLS sessions of servers as long as they support SSLv2, using EXPORT cipher suites as a Bleichenbacher RSA padding oracle.
Potential Damage Scope of DROWN:
Encryption is one of the main defenses against attacks involving confidentiality, which is one of the primarily components of the Confidentiality, Integrity, and Availability (CIA) triad. Defeating this security mechanism grants the attackers full access to otherwise protected information. The DROWN attack is particularly concerning due to the following:
- According to an Internet-wide scan, 33% of sites using HTTPS are vulnerable to DROWN attacks. This amounts to 11.5 million servers worldwide.
- DROWN attacks involve loss of sensitive encrypted information, compromising its confidentiality. This includes but is not limited to banking information, e-mails, credit card information, and passwords.
- Successful DROWN attacks can result in interception and destruction or modification of data in transit, allowing attackers to masquerade as legitimate users and carry out additional attacks.
- Many servers allow TLS and SSLv2 connections by default, which is a poor security configuration and will facilitate the success of DROWN attacks.
DROWN – Potentially Vulnerable Server Types:
Numerous types of public-facing servers are vulnerable to DROWN if they support SSLv2 connections, or if they utilize software which contains a private key that facilitates SSLv2. This holds true even if another protocol such as TLS is in use. The following are some, but not all, of the types of servers which are potentially vulnerable to DROWN:
- Web servers
- IMAP servers
- SMTP servers
- POP servers
- FTP Servers
The U.S. CERT Advisory has a detailed list of vulnerable libraries and software packages.
DROWN – Potentially Vulnerable Service Types:
Services that are potentially vulnerable to DROWN include the following well-known open source and commercial software products.
- Microsoft IIS
- Network Security Services
Defensive Measures against DROWN:
It is prudent to take action to ensure that your servers are not vulnerable to the DROWN attack. In most cases, the effort to patch is minimal. At a minimum this patching should be performed; ignoring this vulnerability may result in dire consequences as previously noted. The following are several defensive measures which are recommended by WraySec and the security community at large:
- Update and patch software on servers.
- Perform routine vulnerability scans and penetration tests against servers. It is advisable to hire a team of cyber security professionals such as WraySec for this purpose.
- Disable SSLv2 protocol on SSL/TLS enabled servers, and disable all SSLv2 ciphers.
- Create and implement effective IDS rules to detect and alert upon potential DROWN attack activity.
- Use firewalls with protocol inspection to filter SSLv2 traffic.
- Monitor and perform analysis of firewall logs, IDS alerts, and network traffic in order to detect compromise related to DROWN attacks.
- Implement unique SSL keys and certificates. Never reuse SSL key material or certificates.
How to Manually Check for DROWN Vulnerability:
It is possible to manually check servers the DROWN vulnerability. Using NMAP and Kali Linux, run scans against all servers that are publicly accessible over the Internet. The following steps show the CLI commands which are necessary to achieve this goal:
- List services that communicate over SSL by typing the following command. Firstly, list open ports using NMAP:
- nmap -sV –reason -PN -n –top-ports (IP address)
- Ensure that SSLv2 connections are supported by forcing an SSLv2 connection (you must have SSLv2 enabled locally):
- openssl s_client -connect (IP address):443 -ssl2
- List supported SSL/TLS ciphers:
- nmap -sV -sC (IP address)
- Using SSLyze, perform a scan of the server to analyze the SSL configuration to double check findings.
How to Automatically Check for DROWN Vulnerability:
Click here to check if your public-facing domain or IP address is vulnerable to DROWN. This check is based upon information that was collected from an Internet-wide scan. This test is provided by the researches involved in the DROWN disclosure. It should be safe to use this testing mechanism; however, in the case of a sensitive server, or one that is behind a firewall, it is advisable to do the testing manually.
Steps Required For Successful Exploitation of the DROWN Vulnerability:
The following steps are necessary to perform successful DROWN attacks:
- Probe the vulnerable server using 40 bits of RSA encrypted secret key using specially crafted connections.
- Compare server’s response to at least 240 possibilities to ensure modified cipher text was appropriately formed.
- Passively collect approximately 1,000 TLS sessions which use RSA key exchange.
- Establish 40,000 SSLv2 connections.
- Execute 250 operations of symmetric encryption pertaining to the vulnerable target server.
This process can be made easier by leveraging an OpenSSL vulnerability which allows attackers to carry out attacks by crafting approximately 17,000 probe messages. These probe messages allow the attacker to near-instantaneously obtain confirmation that the modified cipher text is validly formed. This is made possible by obtaining the key for one out of 260 TLS connections from the target server.
Currently Vulnerable Domains:
Although there have not been any notable publicly announced compromises related to the DROWN vulnerability, there are well-known domains that have been identified (at the time of this post) as vulnerable to DROWN attacks. The following list shows several, prominent, vulnerable domains.
How can WraySec Help Protect me From Drown?
WraySec offers security services including comprehensive and aggressive security assessments to identify vulnerabilities such as DROWN. By performing vulnerability assessments, and penetration testing on a routine basis, our highly skilled team of cyber security professionals can help prevent the compromise of servers which are vulnerable to DROWN. In the event that you believe you may have already fallen victim to the DROWN attack, incident response services are also available. Please feel free to contact us with any inquiries!