A fresh OpenSSL issue has been uncovered, dubbed DROWN.
And drown in it we apparently will: It affects hundreds of sites, including those with millions of monthly visitors, like Yahoo, BuzzFeed, Flickr, Groupon, Samsung, CNBC, AutoTrader and Nintendo, despite the fact that the flaw affects an old version of SSL. A very old version of SSL, in fact: SSL v2, the first ever version of SSL that was released in 1995 and declared dead less than a year later.
DROWN allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. Researchers estimate that up to 22% of servers could be impacted by the problem.
“The especially bad aspect of this attack is that it can be used to exploit TLS, even in cases when client devices don’t support SSL v2, and sometimes even in cases when the servers don’t support SSL v2 (but use the same RSA key as some other server that does),” explained Ivan Ristic, director of vulnerability research at Qualys, in a blog.
The attack does take some skill to execute. “In the case of DROWN, the attacker does have to be in a privileged position on the network in order to eavesdrop on a TLS session, and also needs to have already conducted some reconnaissance on the server-side infrastructure, but this is the nature of padding oracle attacks,” said Tod Beardsley, security research manager at Rapid7, via email.
It also requires that 1) RSA key exchange is used and 2) that there is an SSL v2 server configured with the same private RSA key. But while the attack is not trivial, it can be done cheaply (Ristic said exploitation costs only $440 and eight hours of work).
It’s not Heartbleed, but DROWN demonstrates the weaknesses inherent in letting legacy cryptography standards hang around.
“Once again, we realize that obsolete crypto is dangerous. For many years the argument for not disabling SSL v2 was that there was no harm because no browsers used it anyway,” he said. “We heard the same thing before learning about Logjam, and also before FREAK. This approach is obviously not working. Instead, in the future we must ensure that all obsolete crypto is aggressively removed from all systems. If it’s not, it’s going to come back to bite us, sooner or later.”
Fortunately, remediation is straightforward: administrators should disable SSL v2 on all servers.
Photo © Alex Ionas