Today, researchers from various universities and organizations around the world announced the DROWN SSL exploit. DROWN, an acronym standing for Decrypting RSA with Obsolete and Weakened encryption, is an exploit that allows for remote decryption of SSL communications even if they’re protected by more advanced cipher suites.
Who is affected?
- Anyone who uses SSL for any services including, but not limited to, HTTPS or IMAPS should assume they’re vulnerable to this exploit.
- Any web server software such as Apache or Nginx could have SSLv2 enabled automatically, which means that server is vulnerable.
- If Open-SSL is used, it’s highly likely your server is vulnerable.
- Many other security and server services may be affected, so please be vigilant and assume you need to examine your system and be prepared to update your server.
- Check your SSL version using this tool: https://www.ssllabs.com/ssltest/
- If you choose to fix this issue yourself, check this link to learn how to correctly generate configurations: https://mozilla.github.io/server-side-tls/ssl-config-generator/
While it doesn’t see much use today, many servers still have SSLv2 as a default option for clients to use. If your server supports SSLv2, it is vulnerable to this exploit. Additionally, if the same private key is used on a server that supports SSLv2 and on a server that doesn’t, the server that does not is also vulnerable.
Important note: The servers do not need to be hosted at the same location for this to be successful. If a server is hosted in ‘datacenter’ and uses the same private key as a server in a corporate office, then both servers are potentially vulnerable.
As a generic countermeasure to exploits, efforts should be made to make sure all software and operating systems are regularly patched.
What can the attackers gain?
Any communication encrypted by SSL between users and the server can be intercepted. This typically includes, but is not limited to, usernames and passwords, credit card numbers, emails, instant messages, and sensitive documents. Under some common scenarios, an attacker can also impersonate a secure website and intercept or change the content the user sees.
What do you need to do?
If you are a Proactive Managed Hosting customer, your servers have been updated and brought to a safe state.
If you’d like to become NTSPL Managed Hosting customer, please chat with a hosting expert now for a consultation.
This vulnerability affects many aspects of your server environment, so you may have to take several steps to update your environment to a safe state.
Common vulnerable services:
Open-SSL Users: Make sure Open-SSL has been patched to the latest version. 1.0.1 Should be upgraded to 1.0.1s and those using Open-SSL 1.0.2 should make sure they’re running 1.0.2g.
Microsoft IIS: Ensure SSLv2 is disabled and update Microsoft IIS to the newest version supported by your server.
Network Security Services (NSS): Ensure SSLv2 is disabled and update to the newest version supported by your server.
Web Servers: For Apache and Nginx web servers, disable SSLv2.
How does DROWN affect the system?
DROWN works by intercepting SSL traffic encrypted with the commonly-used TLS (Transport Layer Session) cipher suite going to the target server and capturing the ciphertext. Once that’s done, the attacker repeatedly connects to a server that is using the same private key. Using specially crafted packets, an attacker is able to get the target server to eventually leak enough information that the TLS traffic can be decrypted
This exploit was discovered and released by researchers, which creates a small window to allow for patches and fixes before the exploit becomes fatal.