Tuesday, March 1, 2016

DROWN - Decrypting RSA using Obsolete and Weakened eNcryption

Background Information

A group of security researchers discovered that SSLv2 (Secure Sockets Layer protocol version 2.0) is vulnerable to the Bleichenbacher RSA padding oracle attack, which can be used to decrypt RSA cipher text without the knowledge of the matching private RSA key. This can be done by observing responses from a server that has the private key and performs the decryption of attacker-provided cipher texts using that key. The researchers also demonstrated a new cross-protocol attack which allows decryption of SSL/TLS sessions using newer protocol versions - SSLv3 or any current TLS (Transport Layer Security) version (1.0 - 1.2) - using this SSLv2 weakness. This flaw is a SSLv2 protocol issue and affects all implementations of the protocol. Researchers refer to this attack as general DROWN.
Additionally, flaws were found in the SSLv2 protocol implementation in the OpenSSL cryptography and SSL/TLS library, which make it possible to perform a more efficient variant of the DROWN attack, referred to as special DROWN. These issues were assigned CVE-2016-0703 and CVE-2016-0704 , and were already recently corrected as part of the fix for CVE-2015-0293 .
Further details of this attack can be found in the researchers' paper titled DROWN: Breaking TLS using SSLv2 at https://drownattack.com/

Impact to systems

A server is vulnerable to the DROWN attack if it enables SSLv2 protocol in addition to SSLv3 or TLSv1.x, and if it uses RSA key exchange cipher suites. Server that does not enable SSLv2 can also be vulnerable if it does not enable SSLv2, but shares its private RSA key with another server. For example, DROWN attack can still be used to decrypt HTTPS sessions to a web server that does not enable SSLv2 if it shares its RSA key with e.g. IMAP server, possibly running on the same host, that does enable SSLv2. Use of weak or export SSLv2 ciphers is required to efficiently perform the attack.
SSL/TLS connections using non-RSA key exchange, such as Diffie-Hellman or Elliptic Curve Diffie-Hellman, can not be decrypted using the DROWN attack. 

What configurations are vulnerable to this attack?

  • TLS servers which support SSLv2 are vulnerable. Most daemons capable of communication over TLS in Red Hat Enterprise Linux are linked against the OpenSSL cryptographic library. OpenSSL removed support for SSLv2 cipher suites in openssl-1.0.0. Red Hat Enterprise Linux 6 and 7 ship openssl-1.0.1e and they contain this patch. However it was found that OpenSSL servers do not respect the cipher suites advertised in the ServerHello handshake message, which could result in export SSLv2 cipher suites being used even if they were explicitly disabled. Also, the SSLv2 protocol itself was enabled. The flaw was assigned CVE-2015-3197 and is being fixed by the security advisories listed in the Resolution section below.
  • The NSS (Network Security Services) library available in Red Hat Enterprise Linux does not enable SSLv2 by default.
  • Services which do not use SSLv2 , but share their RSA keys with those services which have SSLv2 support, are also vulnerable.
  • This attack can only be conducted if RSA cipher suites for key exchange are enabled on the server. Other asymmetric protocols like DHKE and ECC are not vulnerable.
  • Lastly, the attack can be conducted in real time for OpenSSL servers which are vulnerable to CVE-2015-0293 . This security flaw has been previously addressed by RHSA-2015:0800 for Red Hat Enterprise Linux 5, RHSA-2015:0715 for Red Hat Enterprise Linux 6 and RHSA-2015:0716 for Red Hat Enterprise Linux 7. This attack, which combines the SSLv2 protocol flaw and the OpenSSL implementation flaw, is dubbed as Special DROWN.

    Take Action

    Imediately apply available patches to remediate the issue. Rebooting the system after updating is the safest way to ensure all affected services use the updated ssl library. If a reboot is not possible, restarting all network services that depend on openssl after applying the patches is required.


    To manually detect if a system is vulnerable, please use the script below:

    DROWN-test.sh (script version 1.0)


    $ chmod +x DROWN-test.sh
    $ ./DROWN-test.sh

    If the installed version of openssl is vulnerable, you will see output similar to:

    WARNING: The installed version of openssl (openssl-1.0.1e-42.el7) is vulnerable to both general and special DROWN attack and should be upgraded!
    See https://access.redhat.com/security/vulnerabilities/drown for more information.

No comments :

Post a Comment