We recently received an alert from the Dell SecureWorks Counter Threat Unit wherein they informed us that they are investigating a vulnerability in services that rely on Secure Sockets Layer/Transport Layer Services (SSL/TLS) encryption.
This blog post contains most of what they had to say about the issue. We hope that this information will be valuable for you in keeping your company data secure.
“The vulnerability is called the DROWN vulnerability (Decrypting RSA using Obsolete and Weakened eNcryption) and was assigned the CVE ID CVE-2016-0800. CVE-2015-3197 and CVE-2016-0703 were assigned to OpenSSL implementations that are vulnerable to DROWN attacks.
By exploiting DROWN, an attacker may be able to decrypt sensitive data sent to or from the server. This data could include usernames, passwords, and sensitive financial information. The issue affects systems that support SSLv2, which is an encryption protocol known to be vulnerable to attacks.
To exploit this vulnerability, an attacker must observe your network, but the offline computation required to obtain the secret key is modest and can be performed in several hours.
DROWN is a new form of the cross-protocol Bleichenbacher padding oracle attack. As of this publication, one-third of HTTPS websites, including one-quarter of the top million websites, are reportedly vulnerable to DROWN attacks.
- Audit your computing infrastructure and disable SSLv2 on any systems that are configured to support it. OpenSSL may accept an SSLv2 connection even if all of the SSLv2 ciphers have been disabled.
- In environments that do not use SSLv2 (for example, PCI-compliant systems), action may still be required if the private key is shared with any system that supports SSLv2 encryption. In this scenario, clients should issue a new key and ensure that it is not used with any service that supports SSLv2.
- OpenSSL users should upgrade to the latest version. Versions 1.0.1s and 1.0.2g are not vulnerable to DROWN attacks. Microsoft IIS versions 7.0 and above should have SSLv2 disabled by default.
Dell SecureWorks will also be taking action against this vulnerability. The CTU research team is investigating the feasibility of countermeasures to detect DROWN exploit activity. Third-party devices receive updated protection as it is released from the respective vendors and deployed by Dell SecureWorks device management security teams.”
If you have any questions or concerns, please contact Advanticom for assistance.