Tech Solvency / The Story So Far / DROWN Attack on SSLv2 (CVE-2016-0800)

Briefing

• All flavors of SSLv2 appear to be affected - Windows, OpenSSL, BoringSSL, LibreSSL, etc.
• If SSLv2 was enabled, non-SSL (TLS) traffic recorded in the past can be decrypted - unless forward secrecy was used on that TLS traffic
• If SSLv2 was enabled on any system that share the same RSA key, traffic of otherwise completely unrelated systems can be decrypted
• Just disabling SSLv2 ciphers (only option on some legacy platforms) is not sufficient for OpenSSL versions prior to 1.0.2f and 1.0.1r; see CVE-2015-3197
• Key is not compromised.
• Remember that HTTPS on 443 is not the only affected platform - consider non-443 HTTPS, SMTP STARTTLS, etc.
• [WIP]

Summaries

• Announcement (and a local cached copy)
• OpenSSL patch announcement
• OpenSSL blog post
• Bulletproof TLS Newsletter
• SANS ISC Diary
• CERT KB
• Qualys blog (Ivan Ristic)

Vulnerabilities

• DROWN attackers can decrypt sessions recorded in the past. - OpenSSL team
• SSLv2 vulnerability can be used to compromise TLS colocated on the same system or sharing configuration

Analysis

• Red Hat
• Matthew Green
• Ars Technica

Remediation

• IIS: https://www.nartac.com/Products/IISCrypto
• Apache mod_ssl: SSLProtocol all -SSLv2 -SSLv3
• nginx: ssl_protocols TLSv1 TLSv1.1 TLSv1.2
• Postfix: see https://www.openssl.org/blog/blog/2016/03/01/an-openssl-users-guide-to-drown/

If running Apache, seriously consider turning on SSL logging in advance everywhere that you can. This will build up a history of which clients are negotiating which protocols and ciphers, to inform decision-making for the next fire.

SSLOptions +StdEnvVars
CustomLog /path/to/ssl.log  "%t %h %{REMOTE_USER}x \"%{User-agent}i\" %{SSL_PROTOCOL}x %{SSL_CIPHER}x "

Enabling SSL protocol and cipher logging is also very useful for tracking how improvements in cipher order affect your customers over time.

Products

Affected

• Just about everything ... if you have SSLv2 enabled.
• Amazon AWS
• Debian

Not affected

• Amazon AWS

Detection and testers

• Online testing site from the discoverers. Not a live test - serves up results from a bulk scan, so very fast, but this tester cannot be used to verify remediation.
• python scanner, from the discovering research team
• Qualys general tester - will show SSLv2
• Qualys general tester (DEV version) - does a live test, and also incorporates censys.io SSLv2 info
• Lists of Alaskan hosts running SSLv2 and potentially affected by DROWN: Qualys SSL Labs from October-January, and Nmap detection of SSLv2 2016-03-02. Also check the Alaska TLS/SSL Matrix as a cross-check.
  Note that just disabling all SSLv2 ciphers will not work for OpenSSL versions prior to 1.0.2f and 1.0.1r; see CVE-2015-3197
• Nmap, just SSLv2:
  nmap -T5 -p 443 --script=sslv2 -iL ${file-of-hosts} -oA ${output-file-prefix}
  (but do not assume that all of your SSL is on port 443!)
• Nmap, deeper (all ciphers, etc.):
  nmap -T5 -p 443 --script=ssl-enum-ciphers -iL ${file-of-hosts} -oA ${output-file-prefix}
  (but do not assume that all of your SSL is on port 443!)
• ULeak tester

Exploitation

No public exploits yet known, as of 2016-03-02.
The DROWN attack is nuanced and non-trivial to implement, so we will likely not see immediate exploitation. - OpenSSL team, 2016-03-01

News and posts

• Hacker News
• Threatpost
• The Register< and chastising us for still having SSLv2 after POODLE
• Slashdot
• BBC

Return to The Story So Far (list of notable security events)