According to a recent report by security researches on the Decrypting RSA with Obsolete and Weakened eNcryption (DROWN) vulnerability, over 3.5 million HTTPS servers are estimated to be seriously affected.
Aiming to gain personal communications between users and the server, including passwords, credit card numbers, usernames, e-mails, messages, important documents, etc., the attackers of HTTPS servers “can also impersonate a secure website and intercept or change the content the user sees.” Among the approximate number of 3.5 million or 33% of all HTTPS servers at risk, are websites, mail services, popular sites, etc.
The report has raised awareness that third parties may reveal encrypted communications and that anyone must take action to prevent becoming a victim of this attack.
According to the report, a server is vulnerable to DROWN if:
- It allows SSLv2 connections. This is surprisingly common, due to misconfiguration and inappropriate default settings. Our measurements show that 17% of HTTPS servers still allow SSLv2 connections.
or:
- Its private key is used on any other server that allows SSLv2 connections, even for another protocol. Many companies reuse the same certificate and key on their web and email servers, for instance. In this case, if the email server supports SSLv2 and the web server does not, an attacker can take advantage of the email server to break TLS connections to the web server. When taking key reuse into account, an additional 16% of HTTPS servers are vulnerable, putting 33% of HTTPS servers at risk.
Can you prevent the attack?
Yes, you can if you start taking action as soon as possible. Among the existing protections is the SSLv2 protocol disablement in all SSL/TLS servers, including HTTP, IMAP, POP, and SMTP servers, as NopSec CTO Michelangelo Sidagni suggested.
“Servers that have not disabled the SSLv2 protocol and are not patched for CVE-2015-3197 are vulnerable to DROWN even if all SSLv2 ciphers are nominally disabled, because malicious clients can force the use of SSLv2 with EXPORT ciphers,” Sidagni said for LinuxInsider adding that there is nothing practical Web browsers can do to prevent becoming victims of DROWN vulnerability.
An extension of the 1998 Bleichenbacher attack, this current threat should be taken seriously so that companies become fully aware of what can hurt their business and damage their image.
"Considering almost all servers on the Internet could be impacted by this attack, I would say this threat is considerably widespread or severe," TokenEx CEO Alex Pezold told LinuxInsider.
You can easily check whether your server is vulnerable to DROWN by entering your IP address here.
If you have other questions, you can check the full report here and get to know more about how to contact the DROWN research team, get more info on other technical details, whether you need to update your browser or not, what factors contribute to DROWN and much more.
Image Sources: www.getadvanced.net, www.function1.com