Tuesday, 1 March 2016

Decrypting RSA with Obsolete and Weakened eNcryption (DROWN)

An OpenSSL security hole enables Secure Sockets Layer (SSLv2), to be used to attack modern web sites. Even though this is a  an ancient, long deprecated security protocol, it is estimated to be able to "kill" at least one-third of all HTTPS servers (approx. 11.5 million servers). 

The attack is dubbed as DROWN based on the words: 
Decrypting RSA with Obsolete and Weakened eNcryption

Obsolete Microsoft Internet Information Services (IIS) versions 7 and earlier are vulnerable as well, and editions of Network Security Services (NSS), a common cryptographic library built into many server products prior to 2012's 3.13 version, are also open to attack. 

OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s

If you're using another version move up to 1.0.2g or 1.0.1s

OpenSSL 1.0.2g is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html):
  • http://www.openssl.org/source/
  • ftp://ftp.openssl.org/source/
The flaw was identified by academics and the code for the attack has not yet been released. The main reason for this, is to allow people to patch their systems before the vulnerability starts being exploited. 

For further information on the issue, please visit the site: https://drownattack.com

Migration/Protection: https://drownattack.com/#mitigation
Instructions for Apache: https://drownattack.com/apache.html
Instructions for Postfix: https://drownattack.com/postfix.html
Instructions for Nginx: https://drownattack.com/nginx.html

There is also an offline scanner available on GitHub: 

No comments:

Post a Comment