A major security vulnerability known as DROWN has been discovered in OpenSSL and it is known to effect more than eleven million websites and e-mail services protected by Secure Sockets Layer (SSLv2). Orla Faughnan, a manager with Ward Solutions, Ireland’s largest information security company has given us some background information on Drown and also what you should do if you are affected.
What is DROWN?
DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) is a cross-protocol attack which can be used to decrypt TLS (Transport Layer Security) sessions, and potentially allow attackers to intercept sensitive communications and user data. The vulnerability was first disclosed on 1st March.
Who does it affect?
All HTTPS sites, mail servers and other network services which rely on SSL (Secure Sockets Layer) and TLS are vulnerable to attack. On the date of disclosure the research team involved in its identification used internet-wide scanning to gauge the breadth of vulnerable sites and reported that a third of all HTTPS sites were vulnerable at that time. Approximately 11.5 million servers are affected in total, and currently included on the list of known affected websites are high-traffic sites such as Yahoo, Buzzfeed and Samsung, among others.
Am I Vulnerable?
Your websites , email servers, etc. may be vulnerable if they use SSL Version 2.0 Previous to this disclosure, while allowing SSLV2 was not considered best practice; it was not considered a security risk as up to date clients didn’t use this protocol. However, in light of the recent attacks, it is recommended to immediately disable SSLV2 as it is now a threat to modern servers and clients.
The international group of researchers from universities, Google and OpenSSL who discovered the attack have stated that servers are vulnerable to DROWN if they allow SSLV2 connections, or if their private key is used on any other server that allows SSLV2 connections, even for another protocol.
For example, if an organisation uses a certificate on a web server which does not allow SSLV2 but they have an email server which allows SSLV2 that is also using the same certificate, then an attacker can utilise the email server to break TLS connections on the web server.
I’m affected, what now?
The recommendation is to disable SSLV2, paying particular attention to ensure that private keys are not used anywhere that permits SSLV2 connections. The research team behind the discovery have provided instructions on mitigation for a series of common products on their dedicated website, and Ward advises that IT managers and teams in Ireland review this and any vendor security advisories as they are published.
If you have any concerns regarding DROWN or other potential weaknesses in your IT security, you can call Ward Solutions today on 01 642 0100 or visit our website http://www.ward.ie/ and talk to a member of our experienced team.