CISOs have been warned to check servers and applications their organization uses and/or developed and cloud services they subscribe to following the discovery of a critical vulnerability in the outdated SSLv2 protocol.
The bug, dubbed DROWN — short for Decrypting RSA with Obsolete and Weakened eNcryption) — is a cross-protocol attack that affects any server that supports SSLv2 connections and also any other servers (including SMTP, IMAP, etc.) sharing the same certificate with an SSLv2 supported server.
Even if a session is encrypted with the newer and more secure TLS protocol attackers can intercept the scrambled traffic as well as impersonate a trusted cloud provider and modify traffic to and from the service if it uses SSLv2.
Any cloud provider that still supports SSLv2, or uses a private key shared with a server that supports SSLv2, is vulnerable.
Although SSLv2 is old, researchers say 17 per cent of HTTPS servers still allow SSLv2 connections.
DROWN has been labeled CVE-2016-0800 by the U.S. National Vulnerability Database.
Word of the vulnerability spread March 1, but there is some doubt over whether cloud services are moving fast enough to plug the hole. A blog this week on the website of Skyhigh Networks, a cloud access security broker, said 620 unnamed cloud services remained vulnerable, down slightly from the 653 sites discovered a week ago.
Among those fixed are Yahoo.com, according to a site established by researchers.
By comparison cloud access security broker Netskope said as of Wednesday its list of vulnerable cloud apps has dropped from 676 to 564.
Either way that number isn’t reassuring.
By the way, Netskope’s survey also found that the 676 vulnerable SaaS sites it checked also had other holes:
–73 apps were still vulnerable to FREAK attack
–42 apps were still vulnerable to Logjam attack
–38 apps were still vulnerable to OpenSSL CCS attack
–7 apps were still vulnerable to the Poodle vulnerability
That, the blog dryly suggests, indicates poor patch management by these providers.
Netskope recommends mitigating the vulnerability by disabling the support for SSLv2 immediately. That won’t help if are servers vulnerable to another bug, CVE-2015-3197, as clients can force the use of SSLv2 with EXPORT Ciphers.
Users of OpenSSL versions 1.0.2 and 1.0.1 have to install the latest patches. Microsoft IIS users should upgrade to versions 7.0 and above which has SSLv2 disabled by default.
To test if your sever is vulnerable to DROWN, Netscope recommends going to the site https://test.drownattack.com/