DROWN is Identified as a low cost attack and it allows hackers to decrypt browser-server communication in hours to attack servers or/and users. Shockingly, this newly found vulnerability works even on TLS servers, and affected flickr.com,yahoo.com, alibaba.com, buzzfeed.com, and cnbc.com to name a few.
DROWN vulnerability and affected website list was publicly disclosed on March 1, 2016, still many websites have failed to secure their primary and subdomains. Roughly, 11 million email servers and websites were vulnerable to this attack on March 1.
What is DROWN?
Decrypting RSA with Obsolete and Weakened eNcryption (DROWN) is a vulnerability discovered in OpenSSL. This allows attackers to decrypt secure HTTPS browser to server communication.
Researchers from Münster University of Applied Sciences, Department of Electrical Engineering, Horst Görtz Institute for IT security, Ruhr University Bochum, Hashcat Project, University of Pennsylvania, Tel Aviv University, University of Michigan Google/OpenSSL, and Two Sigma/OpenSSL uncovered the vulnerability.
Notably, DROWN attack targets SSLv2, an old and deprecated encryption protocol. SSLv2 had a reputation of being badly insecure even in the 90s and was soon discarded to secure user to server communications. Even though most of the modern day web servers and websites do not use the TLS encryption protocol, many servers can still support SSLv2 due to default settings and misconfiguration.
Hijacking the user to browser communication means that attackers can get their hands on whatever is being sent. This includes documents, instant messages, emails, credit card numbers, passwords, usernames, and other sensitive information.
However, the exploitation risks are not limited to stealing sensitive information. Attackers can use it to reach the website server or impersonate secure website or messages to users.
Vulnerable to DROWN attacks?
Incase your server allows SSLv2 connections and is not protected by web application firewall, it is bound to be vulnerable to DROWN attacks. Administrators might be unaware of default setting issues and other misconfigurations even if they are certain of discarding support for SSLv2.
Hackers can also exploit DROWN even if you allow private keys on any other server that might support SSLv2. This is extremely critical for email service providers, who often use the same cert on their email and web servers.
More details can be found at https://drownattack.com/
Categorised in: Security
This post was written by Prime Research Team