Details about DROWN attacks and how to prevent them

A whopping 11.5M websites using the HTTPS protocol for encryption are estimated to be at the risk of being attacked and having their data compromised and stolen from a new vulnerability that has been detected as a loophole in OpenSSL, identified as DROWN.

DROWNing What is it and How to Protect Yourself

Decrypting RSA with Obsolete and Weakened encryption (DROWN) uses an outdated security protocol, SSLv2, which can be used to misuse the HTTPS encryption protocol and obtain PII (Personal Identifiable Information) about the readers of the web page. This makes the vulnerability a pervasive problem, as financial institutes, banks, and other companies mostly use HTTPS and the information of millions of visitors is put at risk.

Some of Alexa’s top websites have been affected and can be attacked using this loophole. Websites such a Yahoo, Alibaba, and premier Indian bank The State Bank of India’s websites are at the risk of losing their data. Obsolete versions of IIS (Microsoft Internet Information Services) and those of NSS (Network Security Services), which is a conventional cryptographic thesaurus built into various servers, are also open to DROWN attacks.

If your website is Vulnerable, the good news is DROWN has been discovered by academic researchers and ethical hackers, so a solution is already underway. But since the news is out, the loophole is free for anyone to exploit.

Since the OpenSSL protocol is the most common one, and you probably are using it, how can you make sure you are not targeted? The first step is to check your website on the DROWN vulnerability test site.  If you are vulnerable, the first step is to upgrade your OpenSSL version.

OpenSSL 1.0.2 users must upgrade to 1.0.2g and 1.0.1 users must upgrade to 1.0.1s. If you do not use any of these versions, you should upgrade to one of them. The next step is to upgrade your NSS and Microsoft IIS versions if you already haven’t.

At every IP address on websites having a certificate that verifies SSLv2, eavesdropping attacks can be carried out. The answer to this problem according to the researchers is to update server software at all such IPs and ensure SSLv2 is disabled on all servers. Disabling this on ALL the servers is critical, as quoted by director of engineering at Qualys:

“The attack is not trivial … I recommend that you first ensure your systems are not vulnerable. Fortunately, remediation is straightforward: Disable SSL v2 on all servers you have. It’s as simple as that…. but I really do mean all servers. If you’ve been reusing private RSA [Rivest-Shamir-Adleman] keys (even with different certificates), disabling SSL v2 on one server is not going to help if there’s some other server (possibly using a different hostname, port, or even a protocol) that continues to support this old and crazy vulnerable protocol version.”

Therefore securing all your servers is essential, as anyone insecure server can provide a loophole for the attack.

OpenSSL patches have already been made available for people, and work is being done on other patches to solve this problem.

Top/Featured Image: By JassimNasserMuhammad / deviantart

Pierluigi Paganini Cyber Security Analyst; Member, European Union Agency for Network and Information Security Threat Landscape Stakeholder Group; Founder, Security Affairs Blog. Co-author of The Deep Dark Web: The Hidden World.
Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.