BT

Your opinion matters! Please fill in the InfoQ Survey!

Major SSL Vulnerability Affects OpenSSL and HTTPS server traffic

| by Jeff Martin Follow 6 Followers on Mar 06, 2016. Estimated reading time: 2 minutes |

A note to our readers: As per your request we have developed a set of features that allow you to reduce the noise, while not losing sight of anything that is important. Get email and web notifications by choosing the topics you are interested in.

Two independent security research teams have announced new critical flaws in the OpenSSL cryptographic library used by dozens of Internet applications.  Administrators using systems with OpenSSL (typically but not limited to Linux, Mac OS X, and other UNIX-based systems) should begin reviewing patches and applying them as soon as possible.  It is important to note that vulnerability to DROWN includes, but is not limited to, OpenSSL-based applications.  Those using systems with SSL/TLS traffic should read below for how they may be affected.

DROWN

The first flaw is named DROWN, which stands for Decrypting RSA with Obsolete and Weakened eNcryption.  A detailed report has been produced by a research team composed of individuals from both academia and commercial firms.  The DROWN team states in plain terms:

“DROWN shows that merely supporting SSLv2 is a threat to modern servers and clients. It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.”

This means a server is vulnerable to DROWN if it:

  • Allows SSLv2 connections.  According to their research prior to publication, approximately 17% of public HTTPS servers still allow SSLv2 connections.
  • Its private key is used on any other server that allows SSLv2 connections for any protocol. 

Professor and cryptographer Matthew Green comments that this flaw is ripe for exploitation in part because  “…people don't like to buy multiple certificates, a server that's configured to use both TLS and SSLv2 will generally use the same RSA private key to support both protocols.”

Compounding the effects of this vulnerability is that the DROWN team found a specific flaw in OpenSSL that combined with the DROWN vulnerability.  The combination allowed them “…to perform man-in-the-middle attacks on live TLS sessions before the handshake times out, even allowing the attacker to target connections to servers that prefer non-RSA cipher suites and downgrade a modern TLS client to RSA key exchange.”  These attacks were done using a single-core machine—not a multiple-GPU system or an Amazon EC2 instance -- meaning it is much easier to take advantage of versus the basic DROWN attack.

CacheBleed

If this is not enough, a second flaw has also been announced by a separate research group.  Called CacheBleed, this is “a side-channel attack that exploits information leaks through cache-bank conflicts in Intel processors.”  This flaw primarily affects “cloud servers that commonly run mutually untrusting workloads…” and can be mitigated by disabling hyper-threading on the CPU.  Currently the team believes that at a minimum all Intel Sandy Bridge processors are vulnerable, and older architectures such as Nehalem and Core 2 may also be vulnerable.  At present, the attack is not believed to work on Intel Haswell based systems.

Summary

System administrators using the OpenBSD group’s fork of OpenSSL, called LibreSSL, are not vulnerable to the DROWN attack.  However in certain circumstances it is possible to execute the CacheBleed vulnerability if the attacker has local access to the system. 

Since DROWN targets SSL usage, its ill-effects are not limited to OpenSSL-based systems, and administrators of Windows systems running IIS should also review their configuration settings.

(Article revised for content and clarity March 3, 2016.)

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT