The DROWN Attack
The new SSL vulnerability, dubbed DROWN as if to promote the hype, is gaining attention as if the sky is falling. I wanted to take a moment to make sure you understand its potential impact on your business and hopefully show you that it is not quite falling yet. In my fairly educated opinion, SSL vulnerabilities like DROWN may have a significant impact potential, but the risk associated with them to your business is frequently a lot more tolerable due to the finer details. Here are some points as to why.
- One of the most important factors that is frequently underestimated is the fact that mere support by the server of a deprecated protocol like SSLv2 doesn’t mean the protocol gets used. Modern browsers actually will not allow a connection to a server that can speak only SSLv2. That is why POODLE vulnerability was a dud – you needed SSLv2 conversation to exploit. With DROWN this is not the case though, so it is a bit higher impact. Allegedly, with DROWN the attacker can extract the private key from the server by deluging it with SSLv2 requests, and then use the key to decrypt a client/server conversation, even if it was encrypted with a more modern protocol. A good description of the actual effort required can be found here.
- With these types of vulnerabilities the attacker needs to be in the middle, between the client and the server. I cannot sit at a café and attack your server using DROWN. I would have to be somewhere next to a valid user who has established a connection to your server, and then I would have to snoop and record a fairly significant amount of traffic. This is most likely to happen with a shared WiFi connection. So, in short, this attack becomes more likely to be opportunistic than targeted.
- One has to understand what is at risk. At a basic level, the content of the conversations the attacker has recorded is potentially readable, so perhaps logon credentials exposure poses the highest risk. The exposure is limited to what was said in those recorded sessions.
In conclusion, unlike Heartbleed, DROWN is not something one can use to just go hack your server. There are enough factors to keep the resulting risk down. This means that while you should fix this vulnerability, it is not something that has to be completed at a drop of a hat with all the potential side effects. Proper planning and execution are in order.
Lastly, let me point you to a great tool to test your web servers for SSL problems in general. I have used it extensively in the past. While, in my opinion, it tends to overstate the risk, it does give you a good picture of how your server looks to the outside world.
If you have any questions about this or other information security issues, please feel free to contact us at Winxnet Security. We are here to help you keep your stay secure enough to keep your business running, and keep you protected from both the cyberattacks and unnecessary media hype.