DROWN Attack (CVE-2016-0800), Turing Award and Leo’s Oscar

Hello,
A new security vulnerability ("DROWN": Decrypting RSA with Obsolete and Weakened eNcryption) affecting OpenSSL was disclosed yesterday which allows an attacker to decrypt secure TLS sessions and steal sensitive data such as passwords and credit cards information.

All applications that rely on TLS protocol (like websites and email) are therefore affected.


The vulnerability (id: CVE-2016-0800) is exposed whenever a TLS-enabled "secure server" still supports the archaic SSLv2, or -and here is the trick- if another "unsecure server" in the domain uses the same certificate as the "secure server" (could be different applications) and this "unsecure server" supports SSLv2. This would allow the attacker to decrypt TLS-encrypted messages from the "secure server" sessions, although not possessing the private crypto key.

Initial reports state that a shocking 1 out of 3 of all worldwide HTTPS servers are vulnerable to the attack, and a 1 out of 4 "top one million" domains are affected as well, including websites of Yahoo, Flickr, Vmware and 4shared to name a few.



How to protect your environment?

To protect against this vulnerability, you need to have SSLv2 disabled on your servers, and if it must stay enabled on one of your servers for a particular reason, make sure that this server isn't using the same certificate as the other servers that use the more secure TLS encryption protocol.
Microsoft, starting with IIS 7.0, disables SSLv2 by default (though it can be manually enabled); while Apache administrators can check the instructions on how to disable SSLv2.
Ultimately, OpenSSL must be updated in your environment to 1.0.1s or 1.0.2g to fix this flaw.
Concerning networking vendors, below are the preliminary links containing the list of affected products (we will add additional vendors once they publish articles in response to DROWN):


Ciscohttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl
F5https://support.f5.com/kb/en-us/solutions/public/k/23/sol23196136.html
Bluecoathttps://bto.bluecoat.com/security-advisory/sa117


So is your website affected? Here is a link to a quick tool to check. The tool takes some time to update its database so after fixing your server you might still see it as "affected" for a short period of time.




Also in the news, Martin Hellman (left) and Whitfield Diffie (right), creators of the famous Diffie-Hellman (DH) algorithm and practical founders of "Public-key Cryptography", have been awarded the "Turing Award" a.k.a. the Nobel Prize of the computing world.






While as you might have known already, Leonardo DiCaprio, after dying of hypothermia (Titanic) and of heart disease (J. Edgard), being shot in the head (The Departed), in the chest (Django Unchained), in the side (Blood Diamond), in the back (The Great Gatsby), and being mauled by a bear (The Revenant), Leo has finally won his Oscar!




--
Elie Bassil
linkedin.com/in/eliebassil

Previous
Next Post »