"If the conditions are right, the same SSL v2 flaw can be used for real-time MITM attacks and even against servers that don't support the RSA key exchange at all," Ristic said.
OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf released in March 2015 and later are not vulnerable to this efficient version of the Drown attack. The March 2015 update had refactored the code containing the vulnerability in order to fix a different flaw (CVE 2015-0293), and thus had closed the avenue of attack.
In the latest update, OpenSSL disabled the SSL v2 protocol by default and removed SSL v2 EXPORT ciphers. Administrators are urged to update vulnerable versions of OpenSSL as soon as possible.
"Users can avoid this issue by disabling the SSLv2 protocol in all their SSL/TLS servers, if they've not done so already," the OpenSSL project team wrote in its security advisory.
Details on the OpenSSL update
According to the OpenSSL advisory, there are some caveats for servers running vulnerable versions of OpenSSL. For servers running OpenSSL 1.0.1r or 1.0.2f or later, just disabling all SSLv2 ciphers is sufficient. For older versions, disabling the ciphers won't be enough because malicious clients can force the server to use SSL v2 using EXPORT ciphers. In those cases, SSL v2 must be disabled as well.
The latest version of OpenSSL, 1.0.2g and 1.0.1s, disables SSL v2 at build-time by default. To enable SSL v2, the builds must be manually configured with "enable-ssl2." Even if the the build is manually configured with SSL v2, it will still have to make explicit calls to make it even more difficult to request SSL v2 sessions. The SSLv2 40-bit EXPORT ciphers and SSLv2 56-bit DES are no longer available. Weak ciphers in SSLv3 and up are also disabled.
The OpenSSL update also addressed five other low severity vulnerabilities: a double-free bug (CVE 2016-0705) that could lead to a denial-of-service attack or memory corruption for applications receiving DSA private keys from untrusted sources; a memory leak in SRP database lookup method SRP_VBASE_get_by_user (CVE-2016-0798); a side channel attack that makes use of cache-bank conflicts on the Intel Sandy-Bridge microarchitecture (CVE 2016-0702); memory issues in BIO_*printf functions (CVE 2016-0799); and a null pointer deref/heap corruption in the BN_hex2bn function (CVE 2016 0797).
The side-channel attack was reported by the same team of researchers who uncovered Drown. This attack could also lead to the recovery of RSA keys, but the ability to exploit the attack was "limited as it relies on an attacker who has control of code in a thread running on the same hyper-threaded core ad the victim threat which is performing decryptions," the advisory said.
There is a tendency to keep older versions of technology around just-in-case, just in case someone needs to use it, just in case a process relies on it. The thinking that as long as it's not used by default, (or by browsers) is putting the security of online communications at risk. Drown joins the ranks of the previously discovered Logjam and FREAK in showing that even obsolete protocols can be abused.
"In the future we must ensure that all obsolete crypto is aggressively removed from all systems. If it's not, it's going to come back to bite us, sooner or later," Ristic said.
Sign up for CIO Asia eNewsletters.