ADVISORY: Apply patch and reconfigure SSL to avert DROWN attack

Tuesday, March 1, 2016

This message was sent to U-M IT staff groups on March 1, 2016. It is intended for U-M IT staff who are responsible for university servers that use the SSL protocol, such as web servers and email servers.


Summary: 

An attack called DROWN takes advantage of systems still using SSLv2. DROWN stands for Decrypting RSA using Obsolete and Weakened eNcryption. It is an attack that allows decryption of intercepted data and can also allow man-in-the-middle attacks. Server administrators should disable SSLv2 and update to the latest version of OpenSSL.

Affected Systems: 
  • All servers that support SSLv2 may be vulnerable.
  • Unpatched OpenSSL servers using versions that predate 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf (released on March 19, 2015) on systems where SSLv2 is enabled.
Action Items: 
  • Check your SSL services. Use the methods described in the DETECTION section below to determine if any of your web servers or email servers are vulnerable. Critical services and systems that store or process sensitive data should be prioritized.
  • Disable SSLv2. Disable the SSLv2 protocol in all SSL/TLS servers, if you have not already done so. Disabling all SSLv2 ciphers is also sufficient, provided the patches for CVE-2015-3197 (fixed in OpenSSL 1.0.1r and 1.0.2f) have been deployed. Servers that have not disabled the SSLv2 protocol, and are not patched for CVE-2015-3197, are vulnerable to DROWN even if all SSLv2 ciphers are nominally disabled, because malicious clients can force the use of SSLv2 with EXPORT ciphers.
  • Upgrade OpenSSL. OpenSSL 1.0.2 users should upgrade to 1.0.2g. OpenSSL 1.0.1 users should upgrade to 1.0.1s. Users of older OpenSSL versions should upgrade to either one of these versions. Install these updates which should be made available from your software vendor, such as RedHat or Ubuntu.
Threats: 

If an attacker can intercept TLS-encrypted network traffic, it is possible for them to decrypt that traffic by utilizing a server with SSLv2 enabled that uses the same private key. Exploitation of this vulnerability is much simpler if the server is using a version of OpenSSL that is vulnerable to CVE-2016-0703. Exploitation is believed to be more complicated if the SSLv2 server is not vulnerable to CVE-2016-0703, but targeted attacks are still feasible with a moderate amount of resources.

Technical Details: 

DROWN is a new form of cross-protocol Bleichenbacher padding oracle attack. It allows an attacker to decrypt intercepted TLS connections by making specially crafted connections to an SSLv2 server that uses the same private key. For more detailed technical information, please see drownattack.com and the full technical paper.

Detection: 

To check whether your server appears to be vulnerable, enter the domain or IP address in the Check for DROWN box at DROWN Attack. Please note that even if a server is vulnerable to CVE-2016-0703, it is not vulnerable to DROWN (CVE-2016-0800) unless SSLv2 is enabled on the server or on another server using the same private key.

Information for Users: 

This vulnerability affects servers. There is nothing that end users need to do.

In general, the best protection for individuals is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Spam, Phishing, and Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection on the U-M Safe Computing website.

Questions, Concerns, Reports: 

Please contact iia.inform@umich.edu.