A Third of All HTTPS Websites Vulnerable To DROWN Attack

An anonymous reader writes: The OpenSSL project has released versions 1.0.2g and 1.0.1s to address a high severity security issue known as the DROWN attack (CVE-2016-0800) which allows attackers to break HTTPS and steal encrypted information. In layman terms, the attack uses an improperly patched issue (from 1998) in SSL to attack websites using the more modern TLS protocol. Servers where admins use SSL and TLS are in danger. Additionally, servers where only TLS is used, but the admins are sharing the same certificate for other servers where they have SSL, are also vulnerable, since the attack targets RSA, employed in both SSL and TLS. The entire attack is also easy to carry out, costing only $440 on Amazon EC2.

The name

[s_p_oneil]

The name "DROWN" probably has something to do with how admins feel about using OpenSSL by now (or perhaps what they think should be done to it, or both). It goes well with names like heart-bleed.

Re:The name

It's actually an acronym(-ish) for Decrypting RSA with Obsolete and Weakened eNcryption.

It also lends itself to the term "my server got dr0wned".

Re:The name

As we saw with Heartbleed, is it now a requirement that every vulnerability have its own logo? I didn't know that security teams needed to hire graphic artists.

Re:The name

Looks like they took a page out of Congress's book with the ridiculous acronyms.

Wow, really?

[gstoddart]

the attack uses an improperly patched issue (from 1998)

So I take it this is an issue which hasn't been properly fixed by vendors and nobody is using web servers from 1998?

This sounds more like badly written software than bad admin practices. How the heck are you supposed to prevent that?

Re:Wow, really?

Use open source software. OSS has had years if not decades of eyeballs scouring it for vulnerabilities. While occasionally something still gets found, it is not typically severe and is quickly patched.

Re:Wow, really?

[geekmux]

...This sounds more like badly written software than bad admin practices. How the heck are you supposed to prevent that?

Prevent?

Microsoft is still in business today. That should tell you something about prevention.

Re: Wow, really?

Like OpenSSL?

Re:Wow, really?

To be fair, the described attack requires resources that haven't been available to the majority of the world until very recently. Had you managed to sit on this zero-day for twenty years, and you'd started the computations listed on consumer-grade equipment in the late 90s, you might be halfway done by now. Bottom line is, now that datacenter-level resources are becoming available to any script kiddie with a credit card, you're going to see a lot more of this kind of attack, regardless of the source.

Re: Wow, really?

LibreSSL is more robust and is a lean version of OpenSSL.

Re: Wow, really?

[Billly+Gates]

LibreSSL is more robust and is a lean version of OpenSSL.

LibreSSL is vulnerable as well since it is an design flaw of SSLv2 more than a product defect.

Re: Wow, really?

[omnichad]

And was forked from OpenSSL long after this bug was in the codebase.

Re: Wow, really?

Um, LibreSSL removed SSLv2, so no. It is not vulnerable.

http://undeadly.org/cgi?action=article&sid=20160301141941&mode=expanded

Re:Wow, really?

[AchilleTalon]

I don't see how it relies on badly written software rather than bad sysadmin practices. The exploit need both TLS and SSLv2 configured on the server. These days, if someone has SSLv2 active on his/her website, you can call it a bad sysadmin practice for sure. Anyone with SSLv2/SSLv3 active on his/her website deserve to be kicked in the butt. And a third of the sysadmins deserve exactly that.

Re: Wow, really?

[mnemotronic]

Gish Gallop!

Hiawatha

[Aethedor]

So glad that I'm using a webserver that does NOT use this abomination called OpenSSL and was writting with security in mind. Drown, Heartbleed, Slowloris, etc, never caused me any trouble.

Re:Hiawatha

[robmv]

It is not an OpenSSL exclusive problem, Is a protocol one. If you have SSLv2 enabled, you are vulnerable

Re:Hiawatha

[Aethedor]

Sure, but that's how mbed TLS (former PolarSSL, the TLS library used in Hiawatha) and Hiawatha helped me. mbed TLS dropped support for it long ago and Hiawatha uses sane and secure default settings. Without any tweaking, it gives you an A rating at ssllabs.com.

Re:Hiawatha

[WaffleMonster]

So glad that I'm using a webserver that does NOT use this abomination called OpenSSL

It uses the abomination called PolarSSL with its own history of exploitable vulnerabilities.

and was writting with security in mind

Using naÃve heuristics to defend against SQLi and XSS demonstrates the opposite.

Drown, Heartbleed, Slowloris, etc, never caused me any trouble.

Whose fault is allowing SSLv2 and export ciphers in 2016? All those poor site operators... OpenSSL made me do it!!

--
https://technet.microsoft.com/...

Re:Hiawatha

[DigitalSorceress]

Thanks... good to know. I really need to get off OpenSSL - go with one of the leaner distributions... we all do.

Re:Hiawatha

[BuGless]

It uses the abomination called PolarSSL with its own history of exploitable vulnerabilities.

True, but genetic diversity in this case is what can save your bacon. Organisms have been doing it for ages.

and was writting with security in mind

Using naive heuristics to defend against SQLi and XSS demonstrates the opposite.

Well, the Hiawatha project is notoriously bad at PR, nevertheless, it's open source, and there are multiple people scrutinising the code. But if you ignore those toy-like security kludges and the over-the-top claims of security, it turns out to be a rather solid platform.

Re:Hiawatha

[Carewolf]

Sure, but that's how mbed TLS (former PolarSSL, the TLS library used in Hiawatha) and Hiawatha helped me. mbed TLS dropped support for it long ago and Hiawatha uses sane and secure default settings. Without any tweaking, it gives you an A rating at ssllabs.com.

OpenSSL also disables SSLv2 by default. The problem is that some people apparently overrides the safe defaults.

Re:Hiawatha

[Aethedor]

Why do you think it has notoriously bad PR? What do other webserver projects do what Hiawatha doesn't?

Yes, the author himself has said that many security features are/were experimental, but why do you think it has toy-like security kludges and over-the-top claims? I found many of its security features very useful.

Disable SSLv2

[bill_mcgonigle]

It seems to say that if you have SSLv2 enabled on any service with your keys, you're vulnerable. Otherwise, not. A quarter of admins don't seem to know how to disable it.

Re:Disable SSLv2

[xxxJonBoyxxx]

>> A quarter of admins don't seem to know how to disable it.

In many cases, the problem is "downstream" of the admins originally tasked with disabling it. E.g., Original website gets locked down with TLS only, but then a proxy/CDN/accelerator project comes along and "front-ends" some or all of the HTTPS services/content, and the new HTTPS-serving service isn't locked down and could even be invisible to the admins in charge of the original web application boxes. (Yes, I've seen this happen before both as a developer and a pentester.)

Re:Disable SSLv2

[guruevi]

The default in most packages (I'm talking Exchange, IIS, Apache, nginx, Postfix, Dovecot, ...) is that it is enabled. The problem is that disabling it could break a lot of clients, especially those on Windows XP, IE6 or older versions of Java.

Re:Disable SSLv2

[Billly+Gates]

The default in most packages (I'm talking Exchange, IIS, Apache, nginx, Postfix, Dovecot, ...) is that it is enabled. The problem is that disabling it could break a lot of clients, especially those on Windows XP, IE6 or older versions of Java.

Which is why I want to strangle slashdotters who claim anything after XP is for the sake of change and that old software is the best thing since sliced bread.

System admins get the horde of the hostily more than the helpdesk folks. It is their fault for being hacked, yet users and management never want to upgrade or spend any money because it works just fine. Meanwhile if something is hacked or breaks it is on the system admin for not fixing it even though management didn't follow their own procedures

Re:Disable SSLv2

[omnichad]

SSLv3? TLS 1.0 is no longer even PCI compliant due to vulnerabilities.

Re:Disable SSLv2

[codealot]

You're confusing it with SSLv3, which was still used by Win XP, IE6, Java 6, ancient Androids maybe. I can't think of anything that depends on SSLv2 and would be in common use today.

SSLv2 has been obsolete for decades. Both should be turned off--the bare minimum for secure sites is TLS v1.0, and PCI DSS requires all older protocols to be disabled, if you need such certifications.

Re:Disable SSLv2

[Dogers]

On Windows since at least 2008R2, SSLv2 is explicitly disabled by default..

Re:Disable SSLv2

[Carewolf]

No, that would be SSLv3. SSLv2 was deprecated in 1998 - 18 years ago, we had years of downgrade attacks like this before it became standard practice to drow all SSLv2 support, and that is already some 10 years ago. Unless you need to support crap from the 1990s that havne't been updated, you have no excuse for support SSLv2, and if you need to support that old crap, you really should have it on a secure intranet.

Re:Disable SSLv2

[AnthonySimpson]

SSLv3 is vulnerable to the POODLE attack and other attacks. It doesn't seem like any version of SSL is truly safe. What are the alternatives? Documentation on SSL3 vulnerabilities- https://isc.sans.edu/forums/di...

Re:Disable SSLv2

[jrumney]

The default in Apache is not to have an https server set up at all. The instructions I followed 3 years ago for enabling it had SSLv2 and SSLv3 disabled (I just checked my config, and it was already disabled), so maybe these third of all websites are following some guys blog instead of the vendors documentation.

Re:Disable SSLv2

[guruevi]

If you don't explicitly disable it, it will be enabled. Yes, the defaults is to not have SSL, but this is the documentation
https://httpd.apache.org/docs/...
This page doesn't even make mention of the SSLProtocol directive.

Re:Disable SSLv2

[guruevi]

Well, if you want to enable SSL, you go to the documentation right? NEITHER Apache 2.4 nor nginx documentation mention the SSL Protocol directives on their pages or any warning about why you should disable them. Vendor defaults (I just went through it on Ubuntu LTS) do have commented out SSL directives for Postfix/Dovecot but do not have any warning nor SSL protocols disabled.

Re:Disable SSLv2

[jrumney]

You are looking at the documentation for Apache 2.4, which does not even support SSLv2.

[REDUNDANT]

[darkain]

[REDUNDANT]

Good thing /. isn't vulnerable at all, thanks to its lack of HTTPS support!

Re:LibreSSL not affected by DROWN attack

[guruevi]

Obviously because it doesn't support SSLv2.

The problem is not in the library but in the protocol, the reason people continue to use OpenSSL is BECAUSE it supports all sorts of SSL versions and thus more flexible to use than any other OpenSSL-wannabe-dropin.

This OpenSSL version however breaks stuff by disabling it by default and changing the API when you DO want to use it; given that the only applications that would use it are ancient, I doubt there would be any fixes for those applications to use the new API. This is a protocol issue, not a library issue, leave the API's intact, throw up a giant warning and let people manage their own security. Now what will happen is that people requiring SSLv2 support (for whatever reason) will probably revert to older versions of the library that have bigger issues than SSLv2 support.

Astonished

[operagost]

Absolutely astonished that anyone has SSL v2 enabled. You can pick any modern security standard (like PCI DSS or SSAE16) and it reads something like, "disable all obsolete or vulnerable protocols". I mean, I haven't had SSL v3 enabled on anything I'm responsible for since 2010.

Re:Astonished

[operagost]

I'm not familiar with that approach. Ours was to require TLS 1.0. In situations where TLS wasn't supported, we used SSL 3.0 with CBC ciphers disabled. Of course, this worked for about 6 months before someone discovered that RC4 was vulnerable...

Your ignorance is showing.

So glad that I'm using a webserver that does NOT use this abomination called OpenSSL and was writting with security in mind. Drown, Heartbleed, Slowloris, etc, never caused me any trouble.

This flaw, which is common to all SSLv2 implementations, was discovered and proven with help from the OpenSSL team. So tell me how horrible OpenSSL is again?

Incidentally, none of my servers (many of which use OpenSSL) were vulnerable to DROWN because SSLv2 has been turned off on all of them for years.

There's nothing wrong with applauding your own favorite webserver, but when you attack a mature crypto library, you need to get your facts straight. Personally I am less likely to consider Hiawatha if it's beloved by ignorant people....

Re:Your ignorance is showing.

[Aethedor]

Personally I am less likely to consider Hiawatha if it's beloved by ignorant people....

Speaking of ignorance...

Re:Amazon EC2, tool of terror

[avandesande]

It's a stupid thing to quote- I am sure Amazon or any other hosting provider keeps very good logs about user activity and would quickly hand your information over to feds if asked. So it really isn't that cheap- either you need to steal access to such machines or buy them.

Ha ha, no worries

[JustAnotherOldGuy]

Ha ha, no worries here, I don't use SSL on my sites!

Oh, wait...