Decrypting RSA using Obsolete and Weakened eNcryption (DROWN) attacks allow attackers to decrypt intercepted Transport Layer Security (TLS) traffic by abusing vulnerabilities in the obsolete Secure Socket Layer Version 2 (SSLv2) protocol. A successful DROWN attack can provide the attacker with the encryption keys used to secure client-to-server communications. The attack works by making repeated requests to a server using the deprecated SSLv2 protocol instead of the recommended TLS protocol. Each SSLv2 connection request allows the attacker to decipher a few bits of the encryption key. With enough requests, attackers can piece together the entire encryption key, allowing interception and decryption of TLS-protected traffic encrypted with the same keys.

SSLv2 was deprecated in 1996 due to serious security flaws in its implementation. TLS is the current recommended protocol for protecting client-to-server communications; all versions of SSL have been rendered obsolete by significant security flaws in the protocols. Unfortunately, SSLv2 and SSLv3 are still prevalent due to the need to maintain backward compatibility with legacy systems, the lack of adequate vulnerability management and patching, and most significantly, the lack of proper configuration for public-facing server resources and applications that rely on encrypted client-to-server communications. The most recent estimates indicate that SSLv2 is directly supported by approximately:

  • 5.9 million Web servers (17% of all HTTPS-protected machines)
  • 81,000 of the top 1 million most popular web sites
  • 936,000 e-mail servers

Even though SSLv2 has been deprecated for more than 20 years, it is still available as an option for negotiating encryption during client-to-server communications in many applications and servers. Modern applications will attempt to use the more secure TLS protocol, but attackers can manually request to use SSLv2 on a vulnerable server to force the insecure protocol to be used, giving them the opportunity to conduct a DROWN attack. An attacker that successfully conducts a DROWN attack against a vulnerable server can use the deciphered encryption keys to intercept and decrypt TLS-encrypted network traffic if the same compromised key is used to encrypt the data. This also means that an attacker that successfully uses DROWN on one server could use the compromised keys to decrypt traffic from any other server that uses the same keys. For these reasons, these vulnerabilities should be addressed, or adequate workarounds implemented immediately, until vendor patching is made publically available.

Public-facing servers can be scanned using the free Qualys SSL Labs SSL Server Test to determine if the SSLv2 protocol is available to be used to encrypt communications. The scanner can be found at https://www.ssllabs.com/ssltest/.

Preventing the exploitation of these vulnerabilities and subsequent DROWN attacks can be achieved by removing SSLv2 support from your servers and then immediately updating any keys that could have been exposed by successful DROWN attacks to ensure that future TLS encrypted communications cannot be intercepted or decrypted by attackers.

About GuidePoint Security

GuidePoint Security, LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, and with offices in Georgia, Massachusetts, Michigan, Minnesota, Missouri, Florida, Texas, and North Carolina, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.