OpenSSL Secured Websites Vulnerable to DROWN
A group of international academic researchers have discovered a vulnerability in OpenSSL security that has the potential to affect as many as 11.5 million servers. The hole in this security protocol allows Secure Sockets Layer (SSLv2) an outdated security protocol, to be used to attack modern websites.
The attack that exploits this vulnerability has been titled DROWN (Decrypting RSA with Obsolete and Weakened eNcryption – CVE-2016-0800), and it is estimated to be able to kill off a minimum of one-third of ALL HTTPS servers.
While OpenSSL is the most popular target, it’s not the only one vulnerable, Microsoft Internet Information Services (IIS) versions 7 and certain editions of Network Security Services (NSS) are also susceptible to being exploited. If you are using OpenSSL for security, we recommend that if you upgrade to OpenSSL 1.0.2g or 1.0.1s. For ISS and NSS users, upgrade to the latest versions ASAP. Now that the vulnerability has been exposed, it is safe to assume that the hackers will be attacking servers soon.
“We’ve been able to execute the attack against OpenSSL versions that are vulnerable to CVE-2016-0703 in under a minute using a single PC. Even for servers that don’t have these particular bugs, the general variant of the attack, which works against any SSLv2 server, can be conducted in under 8 hours at a total cost of $440,” according to the researchers. “Merely allowing SSLv2, even if no legitimate clients ever use it, is a threat to modern servers and clients.”
Best practice would be to disable all 3 of the old SSL protocols (v1-v3). NIST (National Institute of Standards and Technology) requires at least TLS 1.1 (TLS is the replacement to SSL) and recommends upgrading to TLS 1.2, disabling TLS 1.1 in the process All customers should ensure they are following this practice and ensure that OpenSSL is patched to maximize protection from these vulnerabilities. It is also advisable to disable any cipher suites that have no valid business case and only use ones that provide the highest grade encryption.
You can test to see if your website is vulnerable using the DROWN attack test site.
Connect with Secure Sense to protect data, your network, and systems 24/7, 365 days a year. If you have questions or want to learn more, please contact Secure Sense by calling 866-999-7506.
To learn more about the DROWN attack you can read here.