You’ll Drown by not fixing this vulnerability

CISOs have been warned to check servers and applications their organization uses and/or developed and cloud services they subscribe to following the discovery of a critical vulnerability in the outdated SSLv2 protocol.

The bug, dubbed DROWN — short for Decrypting RSA with Obsolete and Weakened eNcryption) — is a cross-protocol attack that affects any server that supports SSLv2 connections and also any other servers (including SMTP, IMAP, etc.) sharing the same certificate with an SSLv2 supported server.

Even if a session is encrypted with the newer and more secure TLS protocol attackers can intercept the scrambled traffic as well as impersonate a trusted cloud provider and modify traffic to and from the service if it uses SSLv2.

Any cloud provider that still supports SSLv2, or uses a private key shared with a server that supports SSLv2, is vulnerable.

Although SSLv2 is old, researchers say 17 per cent of HTTPS servers still allow SSLv2 connections.

DROWN has been labeled CVE-2016-0800 by the U.S. National Vulnerability Database.

Word of the vulnerability spread March 1, but there is some doubt over whether cloud services are moving fast enough to plug the hole. A blog this week on the website of Skyhigh Networks, a cloud access security broker, said 620 unnamed cloud services remained vulnerable, down slightly from the 653 sites discovered a week ago.

Among those fixed are Yahoo.com, according to a site established by researchers.

By comparison cloud access security broker Netskope said as of Wednesday its list of vulnerable cloud apps has dropped from 676 to 564.

Either way that number isn’t reassuring.

By the way, Netskope’s survey also found that the 676 vulnerable SaaS sites it checked also had other holes:

–73 apps were still vulnerable to FREAK attack

–42 apps were still vulnerable to Logjam attack

–38 apps were still vulnerable to OpenSSL CCS attack

–7 apps were still vulnerable to the Poodle vulnerability

That, the blog dryly suggests, indicates poor patch management by these providers.

Netskope recommends mitigating the vulnerability by disabling the support for SSLv2 immediately. That won’t help if are servers vulnerable to another bug, CVE-2015-3197, as clients can force the use of SSLv2 with EXPORT Ciphers.

Users of OpenSSL versions 1.0.2 and 1.0.1 have to install the latest patches. Microsoft IIS users should upgrade to versions 7.0 and above which has SSLv2 disabled by default.

To test if your sever is vulnerable to DROWN, Netscope recommends going to the site https://test.drownattack.com/

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now