Researchers revealed a massive transport layer security (TLS) vulnerability today that leaves millions of Internet users vulnerable to an attack that could expose passwords, credit card numbers and financial data. OpenSSL and others are urging companies to patch their web servers or risk exposure to the so-called DROWN attack that can decrypt Internet traffic and leave users vulnerable to man-in-the-middle attacks.
The vulnerability was unveiled by a group of international researchers (PDF) who are calling the it “Decrypting RSA with Obsolete and Weakened eNcryption” or DROWN. The attack exploits a flaw in SSLv2 that relates to export-grade cryptography, an issue that continues to rear its ugly head, as it did with Logjam and other recent attacks. The vulnerability can be exploited to use SSLv2 handshakes to decrypt TLS sessions. DROWN attackers can decrypt current sessions and those recorded in the past.
“Due to a series of dumb mistakes on the part of a vast number of people, DROWN means that TLS connections to a depressingly huge slice of the web (and mail servers, VPNs etc.) are essentially open to attack by fairly modest adversaries,” wrote Matt Green, a cryptographer and professor at Johns Hopkins University, in a blog post.
According to Green, DROWN is a classic example of a “cross protocol attack.” He writes: “This type of attack makes use of bugs in one protocol implementation (SSLv2) to attack the security of connections made under a different protocol entirely — in this case, TLS. More concretely, DROWN is based on the critical observation that while SSLv2 and TLS both support RSA encryption, TLS properly defends against certain well-known attacks on this encryption — while SSLv2’s export suites emphatically do not.”
Security experts estimate the DROWN vulnerability leaves 33 percent of all HTTPS servers vulnerable to attackers who have the ability to break web browser to web server encryption and eavesdrop on data passed between the two.
The scope of the vulnerability is magnified by two outdated versions of the OpenSSL implementation that are still running on many web servers. On Monday, the OpenSSL released two patches that disable the SSLv2 protocol by default, as well as remove SSLv2 EXPORT ciphers. The patches include version 1.0.2g of its open source toolkit for SSL/TLS and version 1.0.1s of its open source toolkit for SSL/TLS.
On Monday, stakeholders such as Red Hat were quick to release statements downplaying the threat of DROWN to its customers. “As a leader in open source security, Red Hat has already delivered tested, certified patches for our affected products and provided updated, secure images to our certified container registry,” wrote Red Hat in a statement.
“This is a vulnerability that has been known for a long time in the older versions of the SSL protocol, but that combined with the backdoor vulnerability caused by export crippled cryptography,” said Steve Marquess of OpenSSL. He said even though today the US government isn’t requiring those export restrictions, a lot of that export cripple cryptography code still has support, he said. The combination of the two (SSLv2 and export crippled cryptography) have created a devastating way of breaking every known implementation of SSL V2. “People shouldn’t be using either one of those implementations, but a huge numbers of websites still are,” Marquess told Threatpost.
The DROWN is a new form of cross-protocol Bleichenbacher padding oracle attack, according to researchers. And similar to Bleichenbacher, the DROWN attack exploits a fundamental weakness in the SSLv2 protocol that relates to 1990s-era export-grade cryptography introduced to comply with US government restrictions. At the time, anyone who implemented SSLv2 was force to build in a series of “export-grade ciphersuites” that offered 40-bit session keys. “This was the result of needing to satisfy the U.S. government’s misguided attempt to control the export of cryptography,” Green writes.
According the researchers who discovered DROWN, “the attacker’s probes use a cipher that involves only 40 bits of RSA encrypted secret key material.”
Today, the computational computing power needed to make a DROWN attack possible is achievable with a decent computer . “In this case, the attacker needs about 17,000 probe connections in total to obtain the key for one out of 260 TLS connections from the victim, and the computation takes under a minute on a fast PC,” researchers wrote. Researchers said that in a worst-case scenario an attack could take eight hours using Amazon’s cloud based on-demand compute service (EC2) at a cost of $440.