Drown attack “New Heartbleed”

A new vulnerability in OpenSSL, known as drown-attack affects servers using SSLv2, was revealed 01 March 2016, as an attack that could decrypt secure HTTPS communications, such as passwords or credit card numbers. More than 33 percent of servers are vulnerable — significantly less than Heartbleed, but still a surprisingly high number.

Among those vulnerable at the time of writing were Yahoo, Alibaba, Weibo, BuzzFeed, Weather.com, Flickr, and Samsung.The vulnerability was revealed as part of an OpenSSL update today, and a patch is already available, but exploiting the attack is fairly trivial.

In this attack, DROWN allows attackers to decrypt HTTPS by sending exceptionally made packets to a server or if the authentication is shared on another server, adequately performing a Man-in-the-Middle attack.

SSLv2 goes back to the 1990s and is often empowered coincidentally or consequently when setting up another server, which is the reason DROWN is still a noteworthy issue.

According to the website for DROWN, the attack can take under a minute to exploit and may be has been actively used now after this has been disclosed.

To defend against this attack, make sure SSLv2 is disabled, or ensure that the private key is not shared by some other servers. Those vulnerable don’t need to re-issue certificates, but should take action to prevent the attack immediately.

So what is DROWN?

DROWN is a great case of a “cross-protocol attack”. This type of attack makes utilization of bugs in one convention execution (SSLv2) to assault the security of associations made under a different protocol entirely — for this situation, TLS. More concretely, DROWN depends on the basic perception that while SSLv2 and TLS both bolster RSA encryption, TLS legitimately shields against certain understood assaults on this encryption – while SSLv2’s fare suites earnestly don’t.

Both SSLv2 and TLS use a type of RSA encryption cushioning known as RSA-PKCS#1v1.5. In the late 1990s, a man named Daniel Bleichenbacher proposed an amazing attack on this encryption conspire that permits an attacker to decode a RSA ciphertext proficiently – under the sole condition that they can request that an online server unscramble numerous related ciphertexts, and give back one and only piece of data for everyone – to be specific, the bit representing to whether decryption was effective or not.

Bleichenbacher’s attack demonstrated especially decimating for SSL servers, since the standard SSL RSA-based handshake includes the customer encrypting a secret (called the Pre-Master Secret, or PMS) under the server’s RSA public key, and after that sending this value over the wire. An attacker who listens in the encoded PMS can run the Bleichenbacher attack against the server, sending it a great many related values (in the pretense of new SSL associations), and utilizing the server’s error reactions to slowly decode the PMS itself. With this quality close by, the attacker can figure SSL session keys and decrypt the recorded SSL session.

A nice diagram of the SSL RSA handshake, courtesy Cloudflare (who don’t know I’m using it, thanks, guys!)

The primary SSL/TLS countermeasure against Bleichenbacher’s attack is fundamentally a hack. At the point when the server distinguishes that a RSA ciphertext has decrypted improperly, it lies. Rather than giving back an error, which an attacker could use to execute the attack, it creates a random pre-expert secret and proceeds with whatever remains of the protocol just as this bogus value was what it really decoded. This causes the convention to separate later on down the line, subsequent to the server will process basically an irregular session key. In any case, it’s adequate to keep the attacker from learning whether the RSA decryption succeeded or not, and that kills the attack dead.

Anti-Bleichenbacher countermeasure from the TLS 1.2 spec.

Now let’s take a moment to reflect and make an observation.

 On the off chance that the attacker sends a substantial RSA ciphertext to be decrypt, the server will decode it and acquire some PMS value. In the event that the attacker sends the same valid ciphertext a second time, the server will decode and acquire the same PMS value once more. To be sure, the server will dependably get the same PMS regardless of the possibility that the attacker sends the same substantial ciphertext a hundred times in a row.
Then again, if the attacker over and over sends the same invalid ciphertext, the server will pick an alternate PMS every time. This perception is significant.
In principle, if the attacker holds a ciphertext that may be legitimate or invalid – and the attacker might want to know which is genuine – they can send the same ciphertext to be decoded more than once. This will prompt two conceivable conditions. In condition (1) where the ciphertext is legitimate, decoding will create the “same PMS without fail”. Condition (2) for an invalid ciphertext will create an “alternate PMS every time”. In the event that the attacker could, by one means or another differentiate between condition (1) and condition (2), they could figure out if the ciphertext was substantial. That determination alone would be sufficient to revive the Bleichenbacher assault. Luckily in TLS, the PMS is never utilized specifically; it initially goes through a solid hash work and joined with a group of irregular nonces to acquire a Master Secret. This outcome then utilized as a part of further solid figures and hash capacities. Because of the quality of the hash capacity and figures, the subsequent keys are garbled to the point that the aggressor truly can’t tell whether she’s watching condition (1) or (2).
And here we finally we run into the problem of SSLv2.
SSLv2 executions incorporate a comparative hostile to Bleichenbacher countermeasure. Just here there are some key differences. In SSLv2 there is no PMS – the encrypted quality is utilized as the Master Secret and utilized straightforwardly to determine the encryption session key. In addition, in fare modes, the Master Secret might be as short as 40 bits, and utilized with correspondingly powerless export ciphers This implies an attacker can send different ciphertexts, then brute force the subsequent short keys. Subsequent to recouping these keys for a modest number of sessions, they will have the capacity to figure out if they’re in condition (1) or (2). This would successfully restore the Bleichenbacher attack.

This still sounds like an attack on SSLv2, not on TLS. What is missing? 

SSLv2 export ciphers.

And now we come to the full horror of SSLv2.

Subsequent to most servers arranged with both SSLv2 and TLS backing will utilize the same RSA private key for decoding sessions from either protocol, a Bleichenbacher attack on the SSLv2 execution – with its defenseless crappy export cipher suites – can be utilized to decrypt the substance of an ordinary TLS-based RSA ciphertext. All things considered, both conventions are utilizing the same darned secret key. Because of arranging difference in the RSA ciphertext between the two conventions, this assault doesn’t work constantly – however it works for roughly one out of a thousand TLS handshakes.

To put things briefly: with access to an entire whale of a great deal of calculation, an attacker can capture a TLS association, then at their recreation make numerous a huge number of inquiries to the SSLv2-empowered server, and decrypt that connection. The “general DROWN” attack really requires viewing around 1,000 TLS handshakes to locate a powerless RSA ciphertext, around 40,000 inquiries to the server, and around 2^50 offline from the net operations.

While the attack described above seems costly, it can be conducted in several hours and $440 on Amazon EC2. Are your banking credentials worth $440? Probably not. But someone else’s probably are. Given all the things we have ridden on TLS, it’s better for it not to be broken at all.More urgently, the reason cryptographers spend time on “impractical attacks” is that attacks always get better. And sometimes they get better fast.

While the attack described above appears to be expensive, it can be led in a few hours and $440 on Amazon EC2. Are your keeping money certifications worth $440? Most likely not. Yet, another person’s most likely are. Given every one of the things we have ridden on TLS, it’s better for it not to be broken at all.More urgently, the reason cryptographers invest time in “illogical attacks” is that attacks dependably show signs of improvement. Also, at times, they show signs of improvement quick.

The attack described above is called “General DROWN” and yes, it’s somewhat impractical. However, over the span of composing only this single paper, the DROWN specialists found a second variation of their assault that is numerous requests of greatness speedier than the general one described previously. This attack, which they call “Special DROWN” can decrypt a TLS RSA ciphertext in around one minute on a single CPU core.

This attack relies on a bug in the way OpenSSL handles SSLv2 key processing, a bug that was (inadvertently) fixed in March 2015 but remains open across the Internet. The Special DROWN bug puts DROWN squarely in the domain of script kiddies, for thousands of websites across the Internet.

So how many sites are vulnerable?

This is probably the most depressing part of the entire research project. According to wide-scale Internet scans run by the DROWN researchers, more than 2.3 million HTTPS servers with browser-trusted certificates are vulnerable to special DROWN, and 3.5 million HTTPS servers are vulnerable to General DROWN. That’s a sizeable chunk of the encrypted web, including a surprising chunk of the Chinese and Colombian Internet.

And while it is focused on the main attacks in this post, it’s worth pointing out that DROWN also affects other protocol suites, like TLS with ephemeral Diffie-Hellman and even Google’s QUIC. So these vulnerabilities should not be taken lightly.


For detail  report: Drown-Attack

To test is your site is vulnerable, you can use the DROWN researchers’ handy test.

Manish Dangol

Leave a Reply

Your email address will not be published. Required fields are marked *