OpenSSL DROWN Vulnerability Affects Millions of HTTPS Websites and Software Supporting SSLv2

University researchers from Israel, Germany and the USA; together with Hashcat Project, OpenSSL community and Google; have recently published a paper reporting a critical vulnerability (CVE-2016-0800), which is also referred to as DROWN (Decrsypting RSA with Obsolete and Weakened eNcryption).

DROWN is caused by legacy OpenSSL SSLv2 protocol, which is known to have many deficiencies and thus, it is condemned since 1996. For many years, security experts have recommended to turn it off. There is no need to use this 20-year-old protocol, but apparently many servers still support it because disabling SSLv2 requires non-default reconfiguration of the SSL cryptographic settings which is not easy for common IT people who have limited security knowledge and don’t know the location to disable this protocol and the way to disable it.

This cross-protocol vulnerability allows the cyber attackers to exploit servers using SSLv2, thus decrypting secure communications based on SSL/TLS. “SSL traffic between clients and non-vulnerable servers can be decrypted too provided another server supporting SSLv2 (even with a different protocol such as SMTP, IMAP or POP) shares the RSA keys of the non-vulnerable server,” said OpenSSL organization. [1]

Hackers can take advantage of DROWN vulnerability and perform a Man-in-the-Middle (MitM) type of attack. In a MitM attack, hackers trick the servers to steal the encryption key. They can use this key to decode encrypted messages and steal sensitive data like credit cards, email messages, passwords, trade secrets and financial information.

An example of a DROWN attack

DROWN attack

Surprisingly, the world’s known brands [2] like Yahoo, Buzzfeed, Groupon, Sina have got their websites affected by DROWN vulnerability. Keeping this in view,it can be inferred that more companies still rely on servers that support this legacy protocol and are likely to fall a victim of cyber attacks.

OpenSSL is a cryptographic library used in many server products. It is difficult to know all the affected ones. The situation continue to becoming more urgent because the attack can be done in minutes, and the vulnerability is now disclosed. DROWN has been regarded as the new Heartbleed by many. Heartbleed is another OpenSSL vulnerability which was found in 2014. It is problematic and is one of the top five biggest security concerns for CIOs and CISOs in 2016 [3]. DROWN only affects SSLv2 while Heartbleed affects everything. Time will tell the impact of DROWN vulnerability.

Recommend solution

  • Check web servers that implement OpenSSL, disable SSLv2 in your SSL configuration and upgrade your server software to the new OpenSSL version.
  • Check certificates or keys and make sure that they are not used in servers or software that support SSLv2. If this is true, consider them as being compromised.
  • Re-issuing a new certificate is not mandatory but can be taken as precautionary measure to prevent DROWN attacks.

How SeaCat keeps your backend resources safe from DROWN vulnerability?

SeaCat never implements SSLv2 protocol, having disabled it from day one. SeaCat uses TLS1.2 exclusively and has very strict configuration of ciphers. SeaCat Gateways are, therefore, unaffected. However, we still release an updated version of SeaCat with the new OpenSSL 1.0.2g.

SeaCat has also successfully fenced off other critical open source bugs like Heartbleed and Glibc.

SeaCat against DROWN attack

SeaCat is the core technology behind SeaCat Mobile Secure Gateway and IoT/M2M Application Security Platform, which protects mobile, IoT/M2M applications, the communication channel and application backends.

If your mobile/IoT application is secured by SeaCat and monitored by our Network Security Center, you don’t have to worry. The application is immune from this vulnerability. If you are unsure, contact us today to request a FREE Demo or learn about our Application Security technology and how we can help you with the security of your mobile app and its backend systems.

Reference

  1. https://www.openssl.org/news/secadv/20160301.txt
  2. https://drownattack.com/top-sites.html
  3. http://www.cio.com/article/3023692/security/5-biggest-cybersecurity-concerns-facing-cios-cisos-in-2016.html

Photo credits: Imcreator

About the Author

Cindy Dam

TeskaLabs’ Marketing & Community Manager, Cindy Dam, has a penchant for hacking and storytelling. When she's not reading and writing about cyber hacking, she reads, writes, and comes up with mind and travel hacks.


TurboCat.io

Data encryption tool for GDPR

More information


You Might Be Interested in Reading These Articles

Who is Responsible for Securing the Connected Car?

The automotive industry recently witnessed several cases of cyber-hacking that made driving connected cars dangerous if not impossible. Companies like Jeep, Volkswagen, and Tesla all have recently dealt with cases of hackers taking over cars and stopping them while the cars were in use as well as stealing customers' Social Security numbers, financial details, and other sensitive information.

Continue reading ...

mobile IoT security

Published on April 04, 2017

OpenSSL emergency release impact analysis re TeskaLabs' SeaCat

We help you to operate your mobile app(s) securely. You might have noticed that OpenSSL has recently announced an emergency release because they identified a series of security defects, rated with maximum severity High. The version of fixed OpenSSL is 1.0.2h, released on 3rd May 2016.

Continue reading ...

bulletin

Published on May 04, 2016

The Security Vulnerability That Puts Millions of Application Backends at Risk. Yours Included

FoxGlove Security researchers published a serious vulnerability that can put millions of application backend, including mobile backend, at risk. Mobile applications use the same web-app technology for their backends, thus suffer the same vulnerability. Mobile application servers are inherently insecure because they consist of extensive stacks of software. Each piece can contain risky zero-day vulnerabilities.

Continue reading ...

mobile security

Published on December 15, 2015