SSL/TLS Vulnerability “DROWN”

Number: AV16-039
Date: 03 March 2016

Purpose

The purpose of this advisory is to bring attention to an SSL/TLS vulnerability, Decrypting RSA with Obsolete and Weakened eNcryption, “DROWN”.

Assessment

The DROWN vulnerability can be leveraged by attackers to decrypt SSL/TLS connections between a client and server allowing SSLv2.  Any type of server with SSLv2 enabled is vulnerable (including HTTPS, IMAP, POP and SMTP).  A successful attacker would be capable of obtaining a single session key for a captured TLS handshake through brute-force decryption, which would allow the captured session to be decrypted (in a timeframe of hours using cloud computing services).

In conjunction, a vulnerability in OpenSSL 1.0.2 and 1.0.11 (and earlier) would allow an attacker to reduce the brute-force decryption timeframe for a session key to minutes using commodity computer hardware.

Suggested Action

CCIRC recommends that system administrators identify their affected assets and potential interdependencies with their organization’s critical services, and follow their patch management process accordingly or consider applying the workarounds.

It is recommended to use unique private keys when applicable for different servers and/or services.

References:

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: