On March 1st, 2016 researchers disclosed a critical vulnerability affecting SSL and TLS protocol, most widely used secure protocols over the internet. The attack, termed DROWN (an acronym for Decrypting RSA with Obsolete and Weakened eNcryption) is a cross protocol attack that affects any server that supports SSLv2 connections and also any other servers (including SMTP, IMAP, etc.) that shares the same certificate with an SSLv2 supported server.
In order to launch a DROWN attack, first the attacker passively intercepts the traffic between the client and the server and records any version of TLS RSA messages. As per researchers, later using this attack, the attacker can decrypt one out of 1000 intercepted connections. From the encrypted TLS messages, ciphertext containing the 48-byte premaster secret is then converted to valid RSA PKCS #1 v1.5 encoded ciphertexts with length acceptable to SSLv2 oracle. A version of the Bleichenbacher attack is then used to query the oracle with valid SSLv2 RSA ciphertext which leaks information about the master secret key. This information can then be used to compute the session key allowing the attacker to decrypt the earlier recorded TLS messages. The decrypted messages can disclose sensitive information such as login credentials, cookies, company confidential data, etc.
DROWN has been assigned CVE-2016-0800 with a severity rating of High. According to the data published by researchers, TLS 1.2 handshake using 2048 bit RSA can be decrypted in under 8 hrs at a cost of only $440. The attack time can be further reduced to one minute using the recently discovered vulnerability in OpenSSL (CVE-2016-0703) making it possible to perform MiTM attacks within a very short time window. The same data published by researchers also mentions that 33% of all servers on the internet could be vulnerable to this attack.
At Netskope, we have been monitoring SaaS apps to check if they are vulnerable to DROWN. As part of our research, we have identified 676 SaaS apps that are vulnerable to the attack.The breakdown of SaaS apps vulnerable to DROWN per the l'index de confiance du Cloud Netskope (CCI) is as follows:
- 2 Apps have a “High” CCI rating;
- 42 Apps have a “Medium” CCI rating
- The remainder have either a “Low” or “Poor” CCI rating.
We also identified the following interesting observations related to the 676 SaaS applications vulnerable to the DROWN attack:
- 73 apps are still vulnerable to FREAK attack
- 42 apps are still vulnerable to Logjam attack
- 38 apps are still vulnerable to OpenSSL CCS attack
- 7 apps are still vulnerable to Poodle
The above indicates poor patch management practices by some of the these vulnerable app vendors.
If you are a SaaS app vendor, we suggest the following to identify and mitigate the potential effects of the DROWN attack:
- Check if your server is vulnerable to the attack using the DROWN attack checker.
- Mitigate the vulnerability by disabling the support for SSLv2 immediately. Please note that disabling SSLv2 ciphers on servers vulnerable to CVE-2015-3197 will NOT be sufficient as clients can force the use of SSLv2 with EXPORT Ciphers.
- OpenSSL has released patch for CVE-2016-0703 and CVE-2015-3917. Apply the patched versions 1.0.2g and 1.0.1s for 1.0.2 and 1.0.1 respectively.
- Microsoft IIS users should upgrade to versions 7.0 and above which has SSLv2 disabled by default
- Check the detailed instructions here to get more information on vulnerable platforms and products along with the steps for mitigation.
I would like to thank Nitish Balachandran and Arun Prabhu Dhandapani for their assistance on the research, analysis, and reporting.