It feels like we just got over Heartbleed and there’s another branded exploit out there.
DROWN, a new vulnerability in OpenSSL that affects servers using SSLv2, was revealed today as an attack that could decrypt your secure HTTPS communications, such as passwords or credit card numbers. More than 33 percent of servers are vulnerable — significantly less than Heartbleed, but still a surprisingly high number.
Among those vulnerable at time of writing were Yahoo, Alibaba, Weibo, BuzzFeed, Weather.com, Flickr and Samsung.
The vulnerability was revealed as part of an OpenSSL update today, so a patch is already available, but exploiting the attack is fairly trivial.
In this case, DROWN allows attackers to decrypt HTTPS by sending specially crafted packets to a server or if the certificate is shared on another server, effectively performing a Man-in-the-Middle attack.
SSLv2 dates back to the 1990s and is frequently enabled by accident or automatically when setting up a new server, which is why DROWN is still a major issue.
According to the website for DROWN, the attack can take under a minute to exploit and may be actively used now that it’s been disclosed. It also places the blame for its existence on the way the U.S government weakened cryptography in the 1990s.
To defend against the attack, you should ensure SSLv2 is disabled, or make sure that the private key is not shared across any other servers. Those vulnerable don’t need to re-issue certificates, but should take action to prevent the attack immediately.