A new attack can break the communication encryption provided by SSL and TLS, which could lead an attacker to steal sensitive information, researchers said.
DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) comes from the idea there are servers out there that still support SSLv2, the extremely old and insecure predecessor to TLS.
“In technical terms, DROWN is a new form of cross-protocol Bleichenbacher padding oracle attack. It allows an attacker to decrypt intercepted TLS connections by making specially crafted connections to an SSLv2 server that uses the same private key,” the researchers said in a paper on the subject.
The researchers — Nimrod Aviram; Sebastian Schinzel; Juraj Somorovsky; Nadia Heninger; Maik Dankel; Jens Steube; Luke Valenta; David Adrian; J. Alex Halderman; Viktor Dukhovni; Emilia Käsper; Shaanan Cohney; Susanne Engels; Christof Paar, and Yuval Shavitt — are from the Department of Electrical Engineering, Tel Aviv University; Münster University of Applied Sciences; Horst Görtz Institute for IT security, Ruhr University Bochum; University of Pennsylvania; Hashcat Project; University of Michigan; Two Sigma/OpenSSL; Google/OpenSSL
What’s even worse, this attack does not require much money or time to perform. “Running the computations for the full attack on Amazon EC2 costs about $440,” the researchers found, and can end up performed in under 8 hours.
And, if the server is also vulnerable to two OpenSSL bugs that affect older versions of the popular open-source crypto library, the attack can end up executed for even less money and considerably less time: “In this special case, the attacker can craft his probe messages so that he immediately learns whether they had the right form without any large computation. In this case, the attacker needs about 17,000 probe connections in total to obtain the key for one out of 260 TLS connections from the victim, and the computation takes under a minute on a fast PC.”
This makes it a perfect scenario for man-in-the-middle attacks between client and server.
The researchers have probed servers across the world, and believe that 33 percent of all HTTPS servers, and 25 percent of the top one million domains are vulnerable to the DROWN attack.
End-users can’t do nothing to protect themselves against DOWN attacks – it’s on server administrators to do something. The researchers have offered a tool that admins can use to check whether their servers are vulnerable.
There are two instances in which a server is vulnerable: Either it allows SSLv2 connections, or its private key ends up used on any other server that allows SSLv2 connections. “Many companies reuse the same certificate and key on their web and email servers, for instance,” the researchers pointed out.
The solution is simple: Disable SSLv2 support. In practice, and depending on the software installed, the process can be a bit more complicated, but the researchers provided instructions for the most in-use variants (Microsoft IIS, Apache, Postfix, Nginx, and servers that use the Network Security Services and OpenSSL crypto libraries).
Click here for more technical details about the DROWN attack.