Thread 'DROWN Attack'

Message boards : Projects : DROWN Attack
Message board moderation

To post messages, you must log in.

AuthorMessage
ProfileJord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 15563
Netherlands
Message 68077 - Posted: 1 Mar 2016, 22:35:46 UTC

Something for project administrators who read here to check into, or anyone who runs their own server, really. See if your server is safe from a DROWN attack: https://drownattack.com/#

DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security. These protocols allow everyone on the Internet to browse the web, use email, shop online, and send instant messages without third-parties being able to read the communication.

DROWN allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. Our measurements indicate 33% of all HTTPS servers are vulnerable to the attack.


They have a checker on the site to see if your domain is vulnerable.
David ran it on the Berkeley domain and found that BOINC and Seti@Home are not vulnerable. Phew.
ID: 68077 · Report as offensive
ProfileJord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 15563
Netherlands
Message 68078 - Posted: 1 Mar 2016, 23:40:58 UTC

Additionally: https://mta.openssl.org/pipermail/openssl-announce/2016-March/000066.html

OpenSSL Security Advisory [1st March 2016]
=========================================

NOTE: With this update, OpenSSL is disabling the SSLv2 protocol by default, as
well as removing SSLv2 EXPORT ciphers. We strongly advise against the use of
SSLv2 due not only to the issues described below, but to the other known
deficiencies in the protocol as described at
https://tools.ietf.org/html/rfc6176


Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
================================================================

Severity: High

A cross-protocol attack was discovered that could lead to decryption of TLS
sessions by using a server supporting SSLv2 and EXPORT cipher suites as a
Bleichenbacher RSA padding oracle. Note that traffic between clients and
non-vulnerable servers can be decrypted provided another server supporting
SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or
POP) shares the RSA keys of the non-vulnerable server. This vulnerability is
known as DROWN (CVE-2016-0800).


...
ID: 68078 · Report as offensive

Message boards : Projects : DROWN Attack

Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.