Misplaced Pages

DROWN attack: Difference between revisions

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.
Browse history interactively← Previous editContent deleted Content addedVisualWikitext
Revision as of 00:24, 2 March 2016 editMarkshale (talk | contribs)Extended confirmed users669 edits == See also == * Bleichenbacher attack← Previous edit Latest revision as of 19:37, 12 February 2024 edit undoAlinowe (talk | contribs)195 edits added Category:Computer security exploits using HotCat 
(94 intermediate revisions by 41 users not shown)
Line 1: Line 1:
{{Short description|Security bug}}
The '''DROWN''' attack is a ] that attacks servers supporting modern ] ]s by using their support for the obsolete, insecure, SSLv2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure.<ref>{{Cite web
{{redirect|DROWN|other uses|Drown (disambiguation)}}
| url = http://www.theregister.co.uk/2016/03/01/drown_tls_protocol_flaw/
{{expert-subject|Cryptography|reason=new vulnerability|date=March 2016}}

{{Infobox bug
| name = DROWN
| image = ]
| caption = Broken lock logo symbolizing DROWN attack
| CVE =
| discovered = {{Start date and age|2016|03}}
| patched =
| discoverer = Nimrod Aviram, Sebastian Schinzel
| affected software = ] (v2)
| website = {{URL|drownattack.com}}
}}

The '''DROWN''' ('''Decrypting RSA with Obsolete and Weakened eNcryption''') attack is a cross-protocol ] that attacks servers supporting modern SSLv3/] ]s by using their support for the obsolete, insecure, ] protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure.<ref>{{Cite web
| url = https://www.theregister.co.uk/2016/03/01/drown_tls_protocol_flaw/
| title = One-third of all HTTPS websites open to DROWN attack | title = One-third of all HTTPS websites open to DROWN attack
| last = Leyden | last = Leyden
| first = John | first = John
| last2 =
| date = 1 March 2016 | date = 1 March 2016
| website = The Register | website = The Register
| access-date = 2016-03-02 | access-date = 2016-03-02
}}</ref><ref>{{Cite web }}</ref><ref>{{Cite web
| url = http://arstechnica.com/security/2016/03/more-than-13-million-https-websites-imperiled-by-new-decryption-attack/ | url = https://arstechnica.com/security/2016/03/more-than-13-million-https-websites-imperiled-by-new-decryption-attack/
| title = More than 11 million HTTPS websites imperiled by new decryption attack | title = More than 11 million HTTPS websites imperiled by new decryption attack
| website = Ars Technica | website = Ars Technica
Line 16: Line 31:
| first = Dan | first = Dan
| last= Goodin | last= Goodin
}}</ref> DROWN can affect all types of servers that offer services encrypted with SSLv3/TLS yet still support SSLv2, provided they share the same public key credentials between the two protocols.<ref name=drown>
| website = Ars Technica
Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, ], Maik Dankel, Jens Steube, Luke Valenta, David Adrian, ], Viktor Dukhovni, Emilia Käsper, Shaanan Cohney, Susanne Engels, Christof Paar, and Yuval Shavitt. , 2016</ref> Additionally, if the same ] is used on a different server that supports SSLv2, the TLS server is also vulnerable due to the SSLv2 server leaking key information that can be used against the TLS server.<ref name=drown/>
}}</ref> Full details of DROWN were announced in March 2016, together with a patch for the exploit.


Full details of DROWN were announced in March 2016, along with a patch that disables SSLv2 in OpenSSL; the vulnerability was assigned the ID {{CVE|2016-0800}}.<ref>{{Cite web
DROWN exploits a vulnerability in the protocols used and the configuration of the server, rather than any specific implementation error.
| url = https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0800
| title = National Cyber Awareness System Vulnerability Summary for CVE-2016-0800
| website = web.nvd.nist.gov
| access-date = 2016-03-02
}}</ref> The patch alone will not be sufficient to mitigate the attack if the certificate can be found on another SSLv2 host. The only viable countermeasure is to disable SSLv2 on all servers.

The researchers estimated that 33% of all ] sites were affected by this vulnerability as of March 1, 2016.<ref>{{Cite web
| url = https://drownattack.com/
| title = DROWN Attack
| website = drownattack.com
| access-date = 2016-03-24
}}</ref>

== Details ==
DROWN is an acronym for "Decrypting RSA with Obsolete and Weakened eNcryption".<ref>{{Cite web
| url = http://www.pcworld.com/article/3039369/new-tls-decryption-attack-affects-one-in-three-servers-due-to-legacy-sslv2-support.html
| title = New TLS decryption attack affects one in three servers due to legacy SSLv2 support
| website = PCWorld
| access-date = 2016-03-02
}}</ref>
It exploits a vulnerability in the combination of protocols used and the configuration of the server, rather than any specific implementation error. According to the discoverers, the exploit cannot be fixed by making changes to client software such as web browsers.<ref name=drown/>

The exploit includes a ] with the use of a SSLv2 server as a ]. SSLv2 worked by encrypting the master secret directly using RSA, and 40-bit export ciphersuites worked by encrypting only 40-bit of the master secret and revealing the other 88-bits as plaintext. The 48-byte SSLv3/TLS encrypted RSA ciphertext is "trimmed" to 40-bit parts and is then used in the SSLv2 ClientMasterKey message, which the server treats as the 40-bit part of the SSLv2 master secret (the other 88 bits can be any value sent by the client as plaintext). By brute forcing the 40-bit encryption, the ServerVerify message can be used as the oracle. The proof-of-concept attack demonstrated how both multi-GPU configurations and commercial ] could perform part of the codebreaking calculations, at a cost of around $18,000 for the GPU setup and a per-attack cost of $400 for the cloud. A successful attack will provide the session key for a captured TLS handshake.

The investigators, who described the attack above as the ''general DROWN attack'' also found a specific weakness in the OpenSSL implementation of SSLv2 that allowed what they called a ''special DROWN'' attack. This vastly reduced the effort required to break the encryption, making real-time ]s possible that required only modest computing resources. The OpenSSL implementation of SSLv2 until 2015 did not check that the clear and encrypted key lengths are correct, allowing for example only 8-bit of the master secret to be encrypted. Until 2015, OpenSSL would also overwrite the wrong bytes in the SSLv2 master secret during its attempt at the Bleichenbacher countermeasure. Until 2016, OpenSSL would also happily negotiate disabled SSLv2 ciphersuites. Unlike SSLv3 and later, in SSLv2 the client was supposed to choose from a list of ciphersuites offered by the server but OpenSSL would allow use of unlisted ciphersuites.

The original reporters of the bug were the security researchers Nimrod Aviram and Sebastian Schinzel.<ref>{{Cite web
| url = https://access.redhat.com/security/vulnerabilities/drown
| title = DROWN - Cross-protocol attack on TLS using SSLv2 - CVE-2016-0800 - Red Hat Customer Portal
| website = access.redhat.com
| access-date = 2016-03-02
}}</ref>

== Mitigation ==
To protect against DROWN, server operators need to ensure that their private keys are not used anywhere with server software that allows SSLv2 connections. This includes web servers, SMTP servers, IMAP and POP servers, and any other software that supports SSL/TLS.<ref>{{Cite web
| url = https://drownattack.com/#mitigation
| title = DROWN Attack
| last =
| first =
| date = 1 March 2016
| website =
| publisher =
| access-date =
}}</ref>


The ] group has released a security advisory, and a set of patches intended to mitigate the vulnerability by removing support for obsolete protocols and ciphers.<ref>{{Cite web The ] group has released a security advisory, and a set of patches intended to mitigate the vulnerability by removing support for obsolete protocols and ciphers.<ref>{{Cite web
Line 30: Line 89:
| publisher = OpenSSL | publisher = OpenSSL
| access-date = | access-date =
}}</ref> However, if the server's certificate is used on other servers that support SSLv2, it is still vulnerable, and so are the patched servers.
}}</ref> Several other vulnerabilities were patched at the same time.,


Numerous sources have recommended that the vulnerability be patched as soon as possible by site operators.
== References ==
{{reflist}}


== See also == == References ==
{{reflist|35em}}
* ]


== External links == == External links ==
* https://drownattack.com/ * {{Official website| https://drownattack.com}}
* *
* {{Webarchive|url=https://web.archive.org/web/20180719233834/https://www.cyberwatch.fr/en/vulnerabilities/CVE-2016-0800 |date=2018-07-19 }}


{{SSL/TLS}} {{SSL/TLS}}
{{Hacking in the 2010s}}


]
]
]
] ]
]
]
]


{{crypto-stub}}

Latest revision as of 19:37, 12 February 2024

Security bug "DROWN" redirects here. For other uses, see Drown (disambiguation).
This article needs attention from an expert in Cryptography. The specific problem is: new vulnerability. WikiProject Cryptography may be able to help recruit an expert. (March 2016)
DROWN
Broken lock logo symbolizing DROWN attack
CVE identifier(s)CVE-2016-0800
Date discoveredMarch 2016; 8 years ago (2016-03)
DiscovererNimrod Aviram, Sebastian Schinzel
Affected softwareSSL (v2)
Websitedrownattack.com

The DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) attack is a cross-protocol security bug that attacks servers supporting modern SSLv3/TLS protocol suites by using their support for the obsolete, insecure, SSL v2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure. DROWN can affect all types of servers that offer services encrypted with SSLv3/TLS yet still support SSLv2, provided they share the same public key credentials between the two protocols. Additionally, if the same public key certificate is used on a different server that supports SSLv2, the TLS server is also vulnerable due to the SSLv2 server leaking key information that can be used against the TLS server.

Full details of DROWN were announced in March 2016, along with a patch that disables SSLv2 in OpenSSL; the vulnerability was assigned the ID CVE-2016-0800. The patch alone will not be sufficient to mitigate the attack if the certificate can be found on another SSLv2 host. The only viable countermeasure is to disable SSLv2 on all servers.

The researchers estimated that 33% of all HTTPS sites were affected by this vulnerability as of March 1, 2016.

Details

DROWN is an acronym for "Decrypting RSA with Obsolete and Weakened eNcryption". It exploits a vulnerability in the combination of protocols used and the configuration of the server, rather than any specific implementation error. According to the discoverers, the exploit cannot be fixed by making changes to client software such as web browsers.

The exploit includes a chosen-ciphertext attack with the use of a SSLv2 server as a Bleichenbacher oracle. SSLv2 worked by encrypting the master secret directly using RSA, and 40-bit export ciphersuites worked by encrypting only 40-bit of the master secret and revealing the other 88-bits as plaintext. The 48-byte SSLv3/TLS encrypted RSA ciphertext is "trimmed" to 40-bit parts and is then used in the SSLv2 ClientMasterKey message, which the server treats as the 40-bit part of the SSLv2 master secret (the other 88 bits can be any value sent by the client as plaintext). By brute forcing the 40-bit encryption, the ServerVerify message can be used as the oracle. The proof-of-concept attack demonstrated how both multi-GPU configurations and commercial cloud computing could perform part of the codebreaking calculations, at a cost of around $18,000 for the GPU setup and a per-attack cost of $400 for the cloud. A successful attack will provide the session key for a captured TLS handshake.

The investigators, who described the attack above as the general DROWN attack also found a specific weakness in the OpenSSL implementation of SSLv2 that allowed what they called a special DROWN attack. This vastly reduced the effort required to break the encryption, making real-time man-in-the-middle attacks possible that required only modest computing resources. The OpenSSL implementation of SSLv2 until 2015 did not check that the clear and encrypted key lengths are correct, allowing for example only 8-bit of the master secret to be encrypted. Until 2015, OpenSSL would also overwrite the wrong bytes in the SSLv2 master secret during its attempt at the Bleichenbacher countermeasure. Until 2016, OpenSSL would also happily negotiate disabled SSLv2 ciphersuites. Unlike SSLv3 and later, in SSLv2 the client was supposed to choose from a list of ciphersuites offered by the server but OpenSSL would allow use of unlisted ciphersuites.

The original reporters of the bug were the security researchers Nimrod Aviram and Sebastian Schinzel.

Mitigation

To protect against DROWN, server operators need to ensure that their private keys are not used anywhere with server software that allows SSLv2 connections. This includes web servers, SMTP servers, IMAP and POP servers, and any other software that supports SSL/TLS.

The OpenSSL group has released a security advisory, and a set of patches intended to mitigate the vulnerability by removing support for obsolete protocols and ciphers. However, if the server's certificate is used on other servers that support SSLv2, it is still vulnerable, and so are the patched servers.

Numerous sources have recommended that the vulnerability be patched as soon as possible by site operators.

References

  1. Leyden, John (1 March 2016). "One-third of all HTTPS websites open to DROWN attack". The Register. Retrieved 2016-03-02.
  2. Goodin, Dan (1 March 2016). "More than 11 million HTTPS websites imperiled by new decryption attack". Ars Technica. Retrieved 2016-03-02.
  3. ^ Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni, Emilia Käsper, Shaanan Cohney, Susanne Engels, Christof Paar, and Yuval Shavitt. DROWN: Breaking TLS using SSLv2, 2016
  4. "National Cyber Awareness System Vulnerability Summary for CVE-2016-0800". web.nvd.nist.gov. Retrieved 2016-03-02.
  5. "DROWN Attack". drownattack.com. Retrieved 2016-03-24.
  6. "New TLS decryption attack affects one in three servers due to legacy SSLv2 support". PCWorld. Retrieved 2016-03-02.
  7. "DROWN - Cross-protocol attack on TLS using SSLv2 - CVE-2016-0800 - Red Hat Customer Portal". access.redhat.com. Retrieved 2016-03-02.
  8. "DROWN Attack". 1 March 2016.
  9. "Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)". OpenSSL. 1 March 2016.

External links

TLS and SSL
Protocols and technologies
Public-key infrastructure
See also
History
Implementations
Notaries
Vulnerabilities
Theory
Cipher
Protocol
Implementation
Hacking in the 2010s
← 2000s Timeline 2020s →
Major incidents
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
Hacktivism
Advanced
persistent threats
Individuals
Major vulnerabilities
publicly disclosed
Malware
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
Categories: