Our firewall security partner has flagged a vulnerability in services that rely on Secure Sockets Layer/Transport Layer Services (SSL/TLS) encryption. The vulnerability is called DROWN (Decrypting RSA using Obsolete and Weakened eNcryption) and was assigned the CVE ID CVE-2016-0800. CVE-2015-3197 and CVE-2016-0703 were assigned to OpenSSL implementations that are vulnerable to DROWN attacks.
By exploiting DROWN, an attacker may be able to decrypt potentially sensitive data sent to or from the server. This data could include usernames, passwords, and sensitive financial information. The issue affects systems that support SSLv2, which is an encryption protocol known to be vulnerable to attacks. To exploit this vulnerability, an attacker must observe several hundred connections between the targeted client and server, and then make repeated connections to the SSLv2 server with a previously-obtained modified cipher text. Observing how the server responds could disclose the secret key. The offline computation required to obtain the secret key is modest and can be performed in several hours.
DROWN is a new form of the cross-protocol Bleichenbacher padding oracle attack. As of this publication, one-third of HTTPS websites, including one-quarter of the top million websites, are reportedly vulnerable to DROWN attacks.
Our firewall security partner recommend that customers audit their computing infrastructure and disable SSLv2 on any systems that are configured to support it. OpenSSL may accept an SSLv2 connection even if all of the SSLv2 ciphers have been disabled. In environments that do not use SSLv2 (for example, PCI-compliant systems), action may still be required if the private key is shared with any system that supports SSLv2 encryption. In this scenario, clients should issue a new key and ensure that it is not used with any service that supports SSLv2.
OpenSSL users should upgrade to the latest version. Versions 1.0.1s and 1.0.2g are not vulnerable to DROWN attacks. Microsoft IIS versions 7.0 and above should have SSLv2 disabled by default.
Our firewall security partner is conducting further investigations to the feasibility of countermeasures to detect DROWN exploit activity. We will update you further as this develops.