The DROWN Attack: What You Need To Know

With the release of scheduled security updates for OpenSSL earlier today details of a new high severity cryptographic vulnerability were disclosed.

This weakness relies upon an outdated encryption protocol namely SSLv2 (Secure Sockets Layer version 2). SSLv2 does not have the ability to defend against a known cryptographic attack specifically the Bleichenbacher attack. Using this method an attacker could obtain the RSA private key used to secure the connection between a client (usually a user/consumer) and the server (e.g. a website). If a server that uses a modern protocol such as TLS (TLS/SSL are discussed in a previous blog post and within this Sophos podcast) also uses SSLv2 this attack could be used to obtain the RSA private key (defined) used to secure the connection even when the user’s session is using TLS.

While the original Bleichenbacher attack would still take an impractical amount of computing power to complete; the researchers who responsibly disclosed (defined) this issue to the OpenSSL project (and others) have further refined the attack so that a much smaller number of secured connections would be needed to be set up in order to attempt to brute force (defined) the RSA private key. As OpenSSL explained in their blog post this attack could be completed in several hours using $440 USD of cloud computing power from Amazon’s EC2.

Why Should These Issues Be Considered Important?
It’s estimated that up to 3.5 million servers on the internet are vulnerable to the more general form of DROWN attack disclosed today. A further 2.5 million servers are vulnerable to a specific form of the DROWN attack (that was patched/addressed in March 2015).

This means that some of your favourite websites that use secured connections may be vulnerable to this issue and your private data being exchanged with that website has the potential to be no longer private.

Further technical details of this attack are available on the specifically created website detailing the attack. Background information and high level explanations of the attack are available from Matthew Green’s blog post, OpenSSL’s blog post and from Kaspersky ThreatPost. Very clear but short explanations are available from this Trend Micro blog post and this Sophos Security blog post.

How Can I Protect Myself from These Issues?
The DROWN attack can be further broken down into both general and special cases (thus my use of “These” in the above headings) described in Matthew Green’s blog post.

Update: 3rd March 2016:

With regard to the website vulnerability checker (mentioned below) that the DROWN attack website provides, you may want to read the explanation provided at the end of this Sophos Security blog post for an important clarification/explanation of how that tool works.

To check if your favourite websites are vulnerable you can review a compiled list here or enter the domain of the website you visit to test it e.g. into the “Check for DROWN vulnerability” box found on the DROWN attack website. This blog hosted on is not vulnerable.

You should also review the Q&A page of the DROWN attack website and if you administer a webserver e.g., Apache you should follow the steps within OpenSSL’s blog post to resolve these issues. Steps are also provided for nginx and Postfix users. If you are using any version of OpenSSL prior to 1.0.1s or 1.0.2g, please strongly consider upgrading to the most appropriate updated version of OpenSSL for your environment as soon as possible. OpenSSL’s security advisory for these versions is available here.

Update: 6th March 2016:
Further information on the specific versions of Nginx, NSS, Postfix and Apache versions affected by DROWN are listed in Symantec’s blog post including further advice specific to those products. Qualys also provides insights on detecting/tracking the progress of patching your servers against this attack.

Update: 12th March 2016:
The Symantec link provided above also references Symantec’s CryptoReport tool which can be used to test your website or any website that you visit to check if it is affected by this vulnerability. This tool from Qualys offers similar functionality.

Moreover; U.S CERT provides comprehensive mitigations steps/advice in their vulnerability note on this attack.

Please note that the OpenSSL updates today address 7 other security issues (excluding DROWN) (CVEs, defined) of the following severities:

1x high severity
1x moderate severity (assigned CVE-2016-0704: which also relates to the DROWN attack)
5x low severity
To resolve these issues please update your OpenSSL installations to 1.0.1s or 1.0.2g (as appropriate).

  • FTP mirrors to obtain the necessary downloads are available from here.
  • Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

I hope that the above advice assists you in securing your servers and computer systems from this new attack. I will update this post as more information become available.

Thank you.

Cellos: [2016/03/02] On the announcement of DROWN attack and CacheBleed

ThreatPost: DROWN Vulnerability Remains ‘High’ Risk, Firms Say

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.