Major SSL Vulnerability Affects OpenSSL and HTTPS server traffic
Two independent security research teams have announced new critical flaws in the OpenSSL cryptographic library used by dozens of Internet applications. Administrators using systems with OpenSSL (typically but not limited to Linux, Mac OS X, and other UNIX-based systems) should begin reviewing patches and applying them as soon as possible. It is important to note that vulnerability to DROWN includes, but is not limited to, OpenSSL-based applications. Those using systems with SSL/TLS traffic should read below for how they may be affected.
The first flaw is named DROWN, which stands for Decrypting RSA with Obsolete and Weakened eNcryption. A detailed report has been produced by a research team composed of individuals from both academia and commercial firms. The DROWN team states in plain terms:
“DROWN shows that merely supporting SSLv2 is a threat to modern servers and clients. It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.”
This means a server is vulnerable to DROWN if it:
- Allows SSLv2 connections. According to their research prior to publication, approximately 17% of public HTTPS servers still allow SSLv2 connections.
- Its private key is used on any other server that allows SSLv2 connections for any protocol.
Professor and cryptographer Matthew Green comments that this flaw is ripe for exploitation in part because “…people don't like to buy multiple certificates, a server that's configured to use both TLS and SSLv2 will generally use the same RSA private key to support both protocols.”
Compounding the effects of this vulnerability is that the DROWN team found a specific flaw in OpenSSL that combined with the DROWN vulnerability. The combination allowed them “…to perform man-in-the-middle attacks on live TLS sessions before the handshake times out, even allowing the attacker to target connections to servers that prefer non-RSA cipher suites and downgrade a modern TLS client to RSA key exchange.” These attacks were done using a single-core machine—not a multiple-GPU system or an Amazon EC2 instance -- meaning it is much easier to take advantage of versus the basic DROWN attack.
If this is not enough, a second flaw has also been announced by a separate research group. Called CacheBleed, this is “a side-channel attack that exploits information leaks through cache-bank conflicts in Intel processors.” This flaw primarily affects “cloud servers that commonly run mutually untrusting workloads…” and can be mitigated by disabling hyper-threading on the CPU. Currently the team believes that at a minimum all Intel Sandy Bridge processors are vulnerable, and older architectures such as Nehalem and Core 2 may also be vulnerable. At present, the attack is not believed to work on Intel Haswell based systems.
System administrators using the OpenBSD group’s fork of OpenSSL, called LibreSSL, are not vulnerable to the DROWN attack. However in certain circumstances it is possible to execute the CacheBleed vulnerability if the attacker has local access to the system.
Since DROWN targets SSL usage, its ill-effects are not limited to OpenSSL-based systems, and administrators of Windows systems running IIS should also review their configuration settings.
(Article revised for content and clarity March 3, 2016.)