News

New vulnerability at Open SSLv2: Drown Attack

There is a new Open SSLv vulnerability called “Drown Attack”

Discovered:03/01/2016

Who’s vulnerable:every server using OpenSSLv2 protocol.

About of 2.3 million of HTTPS servers are vulnerable to “Special Drown” attack and 3.5 million of HTTPS servers vulnerable to “General Drown” attack, also the Drown Attack team run an Internet wide scan and they got this results:

  • HTTPS — Top one million domains 25%
  • HTTPS — All browser-trusted sites 22%
  • HTTPS — All sites 33%

How it works:

An attacker can decrypt the communication channel between the client and the server, and get information and files that can compromise the privacy of the clients, the attacker tries to decrypt messages using the SSLv2 protocol, its required have the same private key for SSLv2 and TLS to decrypt all the TLS messages, this attack it’s a variant of the one created by Daniel Bleichenbacher in 1990’s

There’s another variation of this attack named “Special DROWN” that uses another vulnerability of SSLv2 to decrypt the message in one minute using one cpu core, that vulnerability “OpenSSL handles SSLv2 key processing” and was patched in March 2015

How to solve it:

How to solve it: disable OpenSSLv2 protocol on your server and its cipher suites, do not use the same private/public key between protocols.

If you feel that your server can be vulnerable to this new kind of attack you can use https://www.ssllabs.com/ssltest/ to verify the actual state of your ssl configuration and possible vulnerabilities, you can also check if your site was detected as vulnerable to drown attack here https://drownattack.com/#check

References:

https://drownattack.com/

Published by
DevOps Guy

Recent Posts

How to Choose a Nearshore Software Development Company | Video

You may have considered hiring a nearshore software development company or services, but you still have doubts…

1 week ago

End to End Project Management: Complete Guide

End-to-end project management goes as far back as you can remember. Every project in history, even…

2 weeks ago

What is AWS DevOps? | The Complete Guide

AWS DevOps has recently become a trending topic in IT circles as it offers companies…

3 weeks ago

AI vs Machine Learning | Key Differences

When understanding AI vs Machine Learning, it’s essential to grasp how these innovations shape the…

4 weeks ago

Why .NET for Cloud Native Development? | Video

If you are involved in the IT industry by any means, it is your job…

4 weeks ago

Azure Migration: Single to Flexible Server

A Fintech company was dealing with outdated infrastructure, incurring additional costs due to the deprecation…

1 month ago