*** Welcome to piglix ***

Drown attack


The DROWN attack is a cross-protocol security bug that attacks servers supporting modern TLS by using their support for the obsolete, insecure, SSL v2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure. DROWN can affect all types of servers that offer services encrypted with TLS yet still support SSLv2, provided they share the same public key credentials between the two protocols. Additionally, if the same public key certificate is used on a different server that supports SSLv2, the TLS server is also vulnerable due to the SSLv2 server leaking key information that can be used against the TLS server.

Full details of DROWN were announced in March 2016, along with a patch that disables SSLv2 in OpenSSL; the vulnerability was assigned the CVE ID CVE-2016-0800. The patch alone will not be sufficient to mitigate the attack if the certificate can be found on another SSLv2 host. The only viable countermeasure is to disable SSLv2 on all servers.

The researchers estimated that 33% of all HTTPS sites were affected by this vulnerability as of March 1, 2016.

DROWN is an acronym for "Decrypting RSA with Obsolete and Weakened eNcryption". It exploits a vulnerability in the combination of protocols used and the configuration of the server, rather than any specific implementation error. According to the discoverers, the exploit cannot be fixed by making changes to client software such as web browsers.

The exploit includes a chosen-ciphertext attack with the use of a SSLv2 server as a Bleichenbacher oracle. The proof-of-concept attack demonstrated how both multi-GPU configurations and commercial cloud computing could perform part of the codebreaking calculations, at a cost of around $18,000 for the GPU setup and a per-attack cost of $400 for the cloud. A successful attack will provide the session key for a captured TLS handshake.

The investigators, who described the attack above as the general DROWN attack also found a specific weakness in the OpenSSL implementation of SSLv2 that allowed what they called a special DROWN attack. This vastly reduced the effort required to break the encryption, making real-time man-in-the-middle attacks possible that required only modest computing resources.


...
Wikipedia

...