This document will examine DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), which is a vulnerability that attacks the TLS protocol while traversing secure HTTPS connections. This vulnerability is especially dangerous to any organization engaged in E-commerce with the need to complete financial transactions. TLS establishes secure HTTPS connections, which is typically done through the use of a web browser, allowing users to utilize applications such as: email, online shopping, instant messaging, online education, etc.… all with the benefit of an encrypted connection.
If properly exploited, an attacker can gain access to any secured communication going between a server and its end-users. In particular, these secured encrypted communication streams could carry user names, passwords, sensitive documents, credit card info, social security numbers, bank account information, etc. Savvy attackers could possibly use more advanced techniques by impersonating a secure website while intercepting sensitive personal information.
Advisories recommend immediate action to resolve the DROWN vulnerability. It must be noted that end-users who use web browsers can do nothing to protect themselves. All the protection mechanisms must be established on the server side due to the nature of how SSL/TLS connections are established.
The DROWN attack exists due to exploiting the older outdated 1990’s era predecessor to TLS, the SSLv2 protocol. The misconfigurations of servers who still have SSLv2 enabled by default are at high risk. One of two server conditions must exist prior to becoming vulnerable to the DROWN attack as seen in figure one below.
- The server allows SSLv2 connections.
- The server’s private key is used on any adjacent server that is running SSLv2 that is bound to the same network.
The DROWN Attack has been registered by the Common Vulnerabilities and Exposures system as CVE-2016-0800.
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a “DROWN” attack.
IMPACT: CVSS Severity (version 3.0)
The CVE Base scores shown in figure two were calculated by NIST to help organizations strategize remediation and plan mitigation for future attacks. Base metrics pose the questions of, how complicated is this attack to perform and/or does the attack require authentication or not. The base score as determined by NIST is 5.9 (Medium).
Temporal scores ask if the vulnerability is remediable and still exploitable? At present there are no workarounds thus establishing a temporal score of 5.8 (Medium). The exploit code is fully functional and the report confidence is confirmed. Due to the inherent flaws built into many servers running SSLv2, an outdated and vulnerable encryption protocol, many systems are subject to misconfigurations because of possible oversight. The effectiveness of the DROWN attack justifies an exploit code maturity of Functional. The report has been confirmed by NIST.
The environmental metrics ask, what does this mean for our network. Since the DROWN attack occurs between server/client connections utilizing SSL/TLS connections, any end-users machine can potentially become impacted. It is not simply a matter of how far can this vulnerability can spread because it already exists within the servers themselves; therefore, affecting all interconnected machines on the network. It is possible for any adjacently connected servers to be affected as well. The requirements for CIA are more stringent as compared to other organizations that engage in any type e-commerce due to massive amounts of classified SPI data storage, which resulted in an environmental score of 6.9 (Medium).
The DROWN attack is a vulnerability that exploits servers running SSLv2. Since the DROWN attack thrives off of the need to attack servers already running the SSLv2 protocol, disabling SSLv2 altogether would completely and totally eliminate this threat, alternatively, if disabling SSLv2 is not an option, then private keys should not be used anywhere on those particular servers. Disabling SSLv2 has been deemed difficult and could negatively impact other software running on the server. Servers that continue to leave misconfigurations in place run the risk of a potential breach.
FIRST.org. (2016). Common Vulnerability Scoring System Version 3.0 Calculator. Retrieved 5 22, 2016, from FIRST: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:U/RC:R/CR:H/IR:H/AR:M/MAV:A/MAC:H/MPR:N/MUI:R/MS:U/MC:H/MI:L/MA:L
Nimrod Aviram, S. J. (2016, 3 1). The Drown Attack. Retrieved 5 22, 2016, from DrownAttack.com: https://drownattack.com/#paper
US-CERT/NIST. (2016, 4 21). National Cyber Awareness System. Retrieved 5 22, 2016, from National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0800