TLS/SSL vulnerabilities: CVE-2016-0800 ("DROWN") and 2016-0703


This morning the OpenSSL development team published a security advisory [1] regarding two high-impact TLS/SSL vulnerabilities.

The first vulnerability, CVE-2016-0800 and nicknamed "DROWN" (Decrypting RSA with Obsolete and Weakened eNcryption), allows for a cross-protocol attack whereby an attacker could decrypt TLS sessions between clients and hosts that support SSLv2 and "export" cipher suites [2]. CVE-2016-0800 also allows for the decryption of traffic between clients and even non-vulnerable servers, if another server supporting SSLv2 and export ciphers shares the RSA keys of the non-vulnerable server. SSLv2 was deprecated in 1996, but millions of servers around the world continue to support it due to mis-configuration. Export-grade cipher suites use deliberately weakened cryptographic techniques mandated by U.S. government restrictions in the late '90s, but many servers continue to support their use [3].

The second vulnerability, CVE-2016-0703, dramatically increases the efficiency and danger of the DROWN attack by making it effective against even the stronger, non-export-grade cipher suites with very little computation time required [4]. This vulnerability affects OpenSSL 1.0.2, 1.0.1l, 1.0.0q, 0.9.8ze and all earlier versions. It was fixed in OpenSSL 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf [5].

While we are not yet aware of attacks underway, these vulnerabilities present the possibility that secure traffic between web and email servers could be decrypted within minutes to a few hours of computing time [6]. Man In the Middle (MITM) attacks have also been demonstrated [7]. Due to the significant risk they present, system administrators must take immediate action:

+ Servers using OpenSSL should be upgraded to 1.0.2g or 1.0.1s, which disables SSLv2 and the export cipher suites by default.
+ Servers using IIS (prior to 7.0), NSS (prior to 3.13), Apache (2.2.x), and other software should ensure that SSLv2 is fully disabled.
+ Ensure your server's private keys are not used on *any* server (HTTP, SMTP, IMAP, POP, etc.) that allows SSLv2 connections.

There are no practical steps that can be taken on client applications, such as web browsers, to protect them from this vulnerability [8].

The Information Security Office (ISO) expects to be able to scan for vulnerable campus servers this week. Once we develop a means of accurately identifying vulnerable systems, we will begin notifying TSCs and will schedule network quarantines as appropriate.

Please contact us at if you have any questions. Thank you.

Justin LaSelva
Network Security Analyst
Information Security Office
The University of Texas at Austin



See also: ISO Alerts, Security