Red Hat Customer Portal

Skip to main content

DROWN - Cross-protocol attack on TLS using SSLv2 - CVE-2016-0800

Updated
Status
Ongoing
Impact
Important

Red Hat Product Security has been made aware of a vulnerability in the SSLv2 protocol, which has been assigned CVE-2016-0800 and is used in a cross-protocol attack referred to as DROWN - Decrypting RSA using Obsolete and Weakened eNcryption. This issue has been rated as Important .

Background Information

A group of security researchers discovered that SSLv2 (Secure Sockets Layer protocol version 2.0) is vulnerable to the Bleichenbacher RSA padding oracle attack, which can be used to decrypt RSA cipher text without the knowledge of the matching private RSA key. This can be done by observing responses from a server that has the private key and performs the decryption of attacker-provided cipher texts using that key. The researchers also demonstrated a new cross-protocol attack which allows decryption of SSL/TLS sessions using newer protocol versions - SSLv3 or any current TLS (Transport Layer Security) version (1.0 - 1.2) - using this SSLv2 weakness. This flaw is a SSLv2 protocol issue and affects all implementations of the protocol. Researchers refer to this attack as general DROWN.

Additionally, flaws were found in the SSLv2 protocol implementation in the OpenSSL cryptography and SSL/TLS library, which make it possible to perform a more efficient variant of the DROWN attack, referred to as special DROWN. These issues were assigned CVE-2016-0703 and CVE-2016-0704 , and were already recently corrected as part of the fix for CVE-2015-0293 .

Further details of this attack can be found in the researchers' paper titled DROWN: Breaking TLS using SSLv2 at https://drownattack.com/ ,

Acknowledgments

Red Hat would like to thank the OpenSSL project for reporting these issues. Upstream acknowledges Nimrod Aviram and Sebastian Schinzel as the original reporters.


Impacted Products

This issue has been rated as having Important impact by Red Hat Product Security.

The following Red Hat Product versions are impacted:

  • Red Hat Enterprise Linux 4*
  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Red Hat JBoss Enterprise Web Server 2.1.0
  • Red Hat JBoss Enterprise Web Server 3.0
  • Red Hat JBoss Enterprise Application Platform 6

All versions of NSS shipped with Red Hat Enterprise Linux 5, 6, and 7 are not affected by this vulnerability.

*An active ELS subscription is required for access to this patch in RHEL 4. Please contact Red Hat sales or your specific sales representative for more information if your account does not have an active ELS subscription.

What is the Red Hat Enterprise Linux Extended Life Cycle Support Add-On (ELS)?

Impact to systems

A server is vulnerable to the DROWN attack if it enables SSLv2 protocol in addition to SSLv3 or TLSv1.x, and if it uses RSA key exchange cipher suites. Server that does not enable SSLv2 can also be vulnerable if it does not enable SSLv2, but shares its private RSA key with another server. For example, DROWN attack can still be used to decrypt HTTPS sessions to a web server that does not enable SSLv2 if it shares its RSA key with e.g. IMAP server, possibly running on the same host, that does enable SSLv2. Use of weak or export SSLv2 ciphers is required to efficiently perform the attack.

SSL/TLS connections using non-RSA key exchange, such as Diffie-Hellman or Elliptic Curve Diffie-Hellman, can not be decrypted using the DROWN attack.


What configurations are vulnerable to this attack?

  • TLS servers which support SSLv2 are vulnerable. Most daemons capable of communication over TLS in Red Hat Enterprise Linux are linked against the OpenSSL cryptographic library. OpenSSL removed support for SSLv2 cipher suites in openssl-1.0.0. Red Hat Enterprise Linux 6 and 7 ship openssl-1.0.1e and they contain this patch. However it was found that OpenSSL servers do not respect the cipher suites advertised in the ServerHello handshake message, which could result in export SSLv2 cipher suites being used even if they were explicitly disabled. Also, the SSLv2 protocol itself was enabled. The flaw was assigned CVE-2015-3197 and is being fixed by the security advisories listed in the Resolution section below.

  • The NSS (Network Security Services) library available in Red Hat Enterprise Linux does not enable SSLv2 by default.

  • Services which do not use SSLv2 , but share their RSA keys with those services which have SSLv2 support, are also vulnerable.

  • This attack can only be conducted if RSA cipher suites for key exchange are enabled on the server. Other asymmetric protocols like DHKE and ECC are not vulnerable.

  • Lastly, the attack can be conducted in real time for OpenSSL servers which are vulnerable to CVE-2015-0293 . This security flaw has been previously addressed by RHSA-2015:0800 for Red Hat Enterprise Linux 5, RHSA-2015:0715 for Red Hat Enterprise Linux 6 and RHSA-2015:0716 for Red Hat Enterprise Linux 7. This attack, which combines the SSLv2 protocol flaw and the OpenSSL implementation flaw, is dubbed as Special DROWN.

Frequently Asked Questions

Is SSLv2 enabled in the versions of Apache httpd web server shipped with Red Hat products?

The Apache httpd web server can use one of the following modules to provide HTTPS service:

  • mod_ssl - This module uses OpenSSL cryptographic library and is included as part of the Apache httpd web server distribution.
  • mod_nss - This module uses NSS cryptographic library and is developed and distributed separate from the Apache httpd project.

Both of these modules are included in Red Hat products.

The default settings for httpd using mod_ssl are:

  • The httpd versions shipped with Red Hat Enterprise Linux 7, in the httpd24 collection in Red Hat Software Collections, and with Red Hat JBoss Web Server 3 are based on upstream httpd version 2.4 and they can not be configured to enable SSLv2 protocol.

  • The httpd versions shipped with Red Hat Enterprise Linux 5 and 6, Red Hat JBoss Web Server 1 and 2, and Red Hat JBoss Enterprise Application Platform 6 are based on upstream httpd versions 2.2. Those versions can be configured to use SSLv2, however that protocol is disabled in the default configuration. The /etc/httpd/conf.d/ssl.conf configuration file includes the following configuration directive that disables SSLv2:

Raw 
SSLProtocol all -SSLv2
  • The httpd versions shipped with Red Hat Enterprise Linux 4 are based on upstream httpd versions 2.0. The default configuration enables SSLv2, which can be disabled by adding the SSLProtocol directive as listed above to the /etc/httpd/conf.d/ssl.conf configuration file and restarting the httpd service.

The default settings for httpd using mod_nss are:

  • The mod_nss versions shipped with Red Hat Enterprise Linux 5, 6, and 7 do not enable SSLv2 by default. The /etc/httpd/conf.d/nss.conf configuration file includes, depending on the mod_nss package version, one of the following configuration directives that only enable SSLv3 or later, or TLSv1.0 or later:
Raw 
NSSProtocol SSLv3,TLSv1
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2

How to disable SSLv2 in application X?

Refer to the knowledge base article Securing Application 'X' in RHEL 'Y' ? for information on how to change SSL/TLS related settings, such as enabled protocol versions, in various applications shipped with various Red Hat Enterprise Linux versions.


Related Issues


Divide-and-conquer session key recovery in SSLv2 ( CVE-2016-0703 ) Severity: Moderate

It was discovered that the SSLv2 servers using OpenSSL accepted SSLv2 connection handshakes that indicated non-zero clear key length for non-export cipher suites. An attacker could use this flaw to decrypt recorded SSLv2 sessions with the server by using it as a decryption oracle.

Bleichenbacher oracle in SSLv2 ( CVE-2016-0704 ) Severity: Moderate

It was discovered that the SSLv2 protocol implementation in OpenSSL did not properly implement the Bleichenbacher protection for export cipher suites. An attacker could use a SSLv2 server using OpenSSL as a Bleichenbacher oracle.

Take Action

Red Hat recommends that customers conduct a risk-based prioritization analysis of their affected systems and immediately apply available patches to remediate the issue. Rebooting the system after updating is the safest way to ensure all affected services use the updated ssl library. If a reboot is not possible, restarting all network services that depend on openssl after applying the patches is required.

Updates for Affected Products

Product Package Advisory
Red Hat Enterprise Linux 4 - Extended Lifecycle Support* openssl-0.9.7a-43.23.el4 RHSA-2016:0306
Red Hat Enterprise Linux 5 openssl-0.9.8e-39.el5_11 RHSA-2016:0302
Red Hat Enterprise Linux 5.6 Long Life openssl-0.9.8e-12.el5_6.13 RHSA-2016:0304
Red Hat Enterprise Linux 5.9 Long Life openssl-0.9.8e-26.el5_9.5 RHSA-2016:0304
Red Hat Enterprise Linux 6 openssl-1.0.1e-42.el6_7.4 RHSA-2016:0301
Red Hat Enterprise Linux 6.2 Advanced Update Support** openssl-1.0.0-20.el6_2.8 RHSA-2016:0303
Red Hat Enterprise Linux 6.4 Advanced Update Support** openssl-1.0.0-27.el6_4.5 RHSA-2016:0303
Red Hat Enterprise Linux 6.5 Advanced Update Support** openssl-1.0.1e-16.el6_5.16 RHSA-2016:0303
Red Hat Enterprise Linux 6.6 Extended Update Support openssl-1.0.1e-30.el6_6.12 RHSA-2016:0305
Red Hat Enterprise Linux 7 openssl-1.0.1e-51.el7_2.4 RHSA-2016:0301
Red Hat Enterprise Linux 7.1 Extended Update Support openssl-1.0.1e-42.el7_1.10, openssl-1.0.1e-42.ael7b_1.10 RHSA-2016:0305
Red Hat JBoss Web Server 2 openssl Patch Pending
Red Hat JBoss Web Server 3 openssl Patch Pending
Red Hat JBoss Enterprise Application Platform 6 openssl Patch Pending

*An active ELS subscription is required for access to this patch in RHEL 4. Please contact Red Hat sales or your specific sales representative for more information if your account does not have an active ELS subscription.

What is the Red Hat Enterprise Linux Extended Life Cycle Support Add-On (ELS)?

**An active AUS subscription is required for access to this patch in RHEL 6.X AUS.

Additional Information

SSLv2 in OpenSSL

Applications using OpenSSL have to select a connection method to inform the library which SSL/TLS protocol versions they want to use. OpenSSL connection methods either enable single protocol version, or the special method SSLv23 can be used to enable all protocol versions supported by the library. This is the most commonly used connection method. SSLv2 protocol is automatically enabled when this method is selected. Applications have to explicitly set the SSL_OP_NO_SSLv2 option on relevant SSL_CTX or SSL objects to disable SSLv2. While many applications do that, either unconditionally or based on their configuration, other applications use the default set of enabled protocols. Applications using the OpenSSL library are therefore likely to run with SSLv2 enabled.

The following changes were applied to OpenSSL included in Red Hat products to address this issue:

  • The SSLv2 is no longer enabled by default when using SSLv23 connection method.
  • All SSLv2 cipher suites using 40 bit (EXPORT) or 56 bit (single DES) symmetric encryption keys are now disabled and can no longer be used. The following cipher suites are no longer available:
    • EXP-RC2-CBC-MD5 / SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
    • EXP-RC4-MD5 / SSL_CK_RC4_128_EXPORT40_WITH_MD5
    • DES-CBC-MD5 / SSL_CK_DES_64_CBC_WITH_MD5
  • The OpenSSL versions in the openssl packages in all updates for Red Hat Enterprise Linux 4 and 5 now check OPENSSL_ENABLE_SSL2 environment variable and if it is defined, SSLv2 is enabled by default when using SSLv23 connection method. This environment variable can be used to re-enable SSLv2 if needed.

The SSLv2 connection method is not affected by the change to the SSLv23 connection method and can still be used to establish connections using SSLv2 protocol.

Also note that while the DEFAULT cipher list in OpenSSL versions as shipped in Red Hat Enterprise Linux 6 and 7 excludes all SSLv2 cipher suites, this default does not prevent servers from accepting SSLv2 connections from clients that force the use of a disabled cipher suite. This issue was assigned CVE-2015-3197 and is also fixed in updates that address the DROWN issue.

SSLv2 in NSS (Network Security Services)

The NSS cryptography library implements SSLv2 protocol, but it does not enable it by default. Applications need to explicitly ask the library to enable SSLv2 to use it. The NSS versions shipped with Red Hat Enterprise Linux 7 do not allow enabling SSLv2 protocol at all. Applications using the NSS library are unlikely to run with SSLv2 enabled.

As the NSS library does not enable SSLv2 by default, no immediate updates are planned to address the DROWN issue. Future updates in Red Hat Enterprise Linux 6 are expected to disable the protocol in a similar way to how it's disabled in Red Hat Enterprise Linux 7.

SSL and TLS libraries without SSLv2 support

Red Hat products include the following components that implement some TLS or SSL protocol version, but do not implement support for SSLv2. Therefore, these components are not affected by this issue. Note that applications using these unaffected libraries may still be affected by the DROWN attack if they share their private RSA key with other application that uses SSL/TLS library that supports SSLv2.

  • GnuTLS
  • OpenJDK (packages java-1.6.0-openjdk , java-1.7.0-openjdk , java-1.8.0-openjdk )
  • Oracle JDK (packages java-1.6.0-sun , java-1.7.0-oracle , java-1.8.0-oracle )
  • IBM JDK (packages java-1.6.0-ibm , java-1.7.0-ibm , java-1.7.1-ibm , java-1.8.0-ibm )

Subscriber exclusive content

A Red Hat Subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat Subscriptions

Share Google+ Twitter Facebook

5 Comments

Larry Lorenzen's picture 70 points
1 March 2016 7:53 PM

When running the DROWN-test.sh The installed version of openssl-libs (package openssl-libs is not installed) is not vulnerable to DROWN. do I need a reboot after updating openssl to 7.4?

Christopher Robinson's picture Red Hat 3135 points
1 March 2016 10:02 PM

Hi Larry - we recommend that any time major packages like openssl is updated that the system gets rebooted. This will ensure all services will have access to the updated library.

Clifford Perry's picture Red Hat 140 points
1 March 2016 10:04 PM

Hi Larry a reboot is not required. You will need to restart any specific services providing secure communications, such as HTTPS (port 443), or secure email emails (995 - pop; 993 - imap, etc), or any other daemons or applications which provide secure connections which use the openssl libraries. If you are unsure then yes, rebooting guarantees to ensure all services are using the new version from installed RPMs vs in-memory copies. - If you have very specific questions please do open a support case to discuss private information.

Regards, Cliff.

Tomas Hoger's picture Red Hat 195 points
1 March 2016 10:38 PM

The message as:

The installed version of openssl-libs (package openssl-libs is not installed) is not vulnerable to DROWN.

is a script bug that will hopefully be resolved soon.

You need to restart services using OpenSSL - either individually or by rebooting the system - as suggested by Chris and Cliff above.

Larry Lorenzen's picture 70 points
1 March 2016 11:17 PM

Thanks for the replies.

when I do rpm -qa |grep openssl the servers do not show any openssl-libs installed. therefore the script seems to be correct. [root@co-ds-mys-a02 ~]# rpm -qa |grep openssl openssl-1.0.1e-42.el6.x86_64 openssl-devel-1.0.1e-42.el6.x86_64 [root@co-ds-mys-a02 ~]# [root@co-ds-mys-a02 ~]# ./DROWN-test.sh

WARNING: The installed version of openssl (openssl-1.0.1e-42.el6) is vulnerable to the general DROWN attack and should be upgraded. See https://access.redhat.com/security/vulnerabilities/drown for more information. The installed version of openssl-libs (package openssl-libs is not installed) is not vulnerable to DROWN.

when i run rpm -qa |grep openssl on a server that I know has openssl-libs installed and run the script. the script that the openssl-lib are vulnerable.

rpm -qa |grep openssl openssl-1.0.1e-42.el7_1.9.x86_64 openssl-devel-1.0.1e-42.el7_1.9.x86_64 openssl-libs-1.0.1e-42.el7_1.9.x86_64

./DROWN-test.sh WARNING: The installed version of openssl (openssl-1.0.1e-42.el7_1.9) is vulnerable to the general DROWN attack and should be upgraded. See https://access.redhat.com/security/vulnerabilities/drown for more information. WARNING: The installed version of openssl-libs (openssl-libs-1.0.1e-42.el7_1.9) is out of date and may present a security risk. See https://access.redhat.com/security/vulnerabilities/drown for more information.