Drown Attack [CVE-2016-0800]

Vulnerability Overview:

The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.

Details:

Many services today rely on Secure Sockets Layer/Transport Layer Services (SSL/TLS) encryption technology to ensure integrity of the data during its motion. ESRM research team is investigating a vulnerability in this service layer and the vulnerability is called DROWN (Decrypting RSA using Obsolete and Weakened eNcryption) and was assigned the CVE ID CVE-2016-0800.

By exploiting DROWN, an attacker may be able to decrypt potentially sensitive data sent to or from the server. This data could include usernames, passwords, and sensitive financial information. The issue affects systems that support SSLv2, which is an encryption protocol known to be vulnerable to attacks.

To exploit this vulnerability, an attacker must observe several hundred connections between the targeted client and server, and then make repeated connections to the SSLv2 server with a previously-obtained modified cipher text. Observing how the server responds could disclose the secret key. The offline computation required to obtain the secret key is modest and can be performed in several hours. DROWN is a new form of the cross-protocol Bleichenbacher padding oracle attack

Recommended Solution:

1.Full scan of computing infrastructure and disablement of SSLv2 on any systems that are configured to support it.
2.In environments that do not use SSLv2 (for example, PCI-compliant systems), issue a new key and ensure that it is not used with any service that supports SSLv2. (Chances are there that the private key may have been shared with systems supporting SSLv2 encryption).
3.OpenSSL users should upgrade to the latest version. Versions 1.0.1s and 1.0.2g are not vulnerable to DROWN attacks.
4.Microsoft IIS versions 7.0 and above should have SSLv2 disabled by default.

System Affected/Related OS and Version:

This issue affects
:openssl:1.0.2a
:openssl:1.0.2b
:openssl:1.0.2c
:openssl:1.0.2d
:openssl:1.0.2e
:openssl:1.0.2f
:openssl:1.0.1f
:openssl:1.0.1g
:openssl:1.0.1h
:openssl:1.0.1i
:openssl:1.0.1j
:openssl:1.0.1k
:openssl:1.0.1l
:openssl:1.0.1m
:openssl:1.0.1n
:openssl:1.0.1o
:openssl:1.0.1p
:openssl:1.0.1q
:openssl:1.0.1r
:openssl:1.0.1
:openssl:1.0.2
:openssl:1.0.1a
:openssl:1.0.1b
:openssl:1.0.1c
:openssl:1.0.1d
:openssl:1.0.1e
:openssl:1.0.2:beta2
:openssl:1.0.1:beta3
:openssl:1.0.2:beta3
:openssl:1.0.1:beta1
:openssl:1.0.2:beta1
:openssl:1.0.1:beta2

Appendix:
External Source:MISC
https://drownattack.comExternal Source:CONFIRM
https://access.redhat.com/security/vulnerabilities/drown

Threat Category: