DROWN, which stands for “Decrypting RSA with Obsolete and Weakened eNcryption,” is a newly disclosed vulnerability that could be exposing millions of sites to risk today.
However, the DROWN attack is specific to the legacy SSLv2 protocol, and the impact of the flaw is not nearly as widespread as the Heartbleed flaw.
Full details on DROWN, also identified as CVE-2016-0800, are disclosed in a research paper published today, co-authored by Tel-Aviv University, Münster University of Applied Sciences, Horst Görtz Institute for IT Security, Ruhr University Bochum, University of Pennsylvania, Hashcat Project, University of Michigan, OpenSSL and Google.
“The work behind today’s DROWN attack announcement represents the very best of open, collaborative, international security research,” Tod Beardsley, security research manager at Rapid7, told eWEEK. “Academics and professionals actively probing the edges of practical cryptanalysis is the open-source security promise.”
The DROWN attack is a vulnerability that can enable an attacker to decrypt intercepted TLS connections by abusing connections to an SSLv2 server that uses the same private key. SSLv2 is an older protocol that has been outdated for more than a decade at this point and has been replaced by Transport Layer Security (TLS). SSLv3 is also outdated; in fact, the POODLE attack disclosed in 2014 proved that SSLv3 is insecure.
With both DROWN and POODLE, an attacker is abusing the fact that servers sometimes still can enable support for older protocols alongside newer ones. The DROWN attack is not specific to any one Web server or Secure Sockets Layer/Transport Layer Security (SSL/TLS) library. That said, the open-source OpenSSL cryptographic library is being updated to help mitigate and limit the risk of a DROWN attack. Microsoft Internet Information Server (IIS) users are being advised to make sure they have disabled SSLv2 by default.
There is now also an online DROWN checker to verify if a specific server is at risk. According to the DROWN attack disclosure site, 25 percent of the top 1 million domains secured by HTTPS are vulnerable to the DROWN attack.
While DROWN is significant, it’s not nearly as risky as the Heartbleed attack that was first reported in April 2014.
Unlike Heartbleed, DROWN is a bug in the underlying SSLv2 protocol, Chris Czub, security research engineer at Duo Security, explained.
“Heartbleed was an implementation bug in OpenSSL’s library, which would leak bits of system memory that could contain anything: private keys, user log-in credentials, etc,” Czub told eWEEK. “DROWN, on the other hand, makes attacking SSLv2 connections possible, regardless of the underlying libraries, but doesn’t inherently expose the memory of the server.”
With DROWN, an attacker can spy on communications, such as reading email and capturing usernames and passwords, credit card numbers and instant messages, Czub said.
Although Heartbleed is a completely different beast than DROWN, and DROWN is not worse than Heartbleed due to scale, said Josh Bressers, security strategist at Red Hat.
“Heartbleed affected everything, whereas DROWN only affects SSLv2, which no one should be running at all,” Bressers told eWEEK.
Given that few Web servers actually run SSLv2 by default, some Website administrators might think they aren’t at risk, but that’s not necessarily the case. When you have a TLS or SSL connection, the client tells the server “here’s the encryption key that I want to use,” Bressers said.
“In a man-in-the-middle attack, like DROWN, attackers can sniff all of these encrypted packets and then leverage that data via a flaw in SSLv2 to send the server requests that will help them decipher the full encryption key,” Bressers said. “If you aren’t using SSLv2 for anything, you’re fine; but it’s still wise for everyone to apply updates across their respective infrastructures.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.