[2016/03/02] On the announcement of DROWN attack and CacheBleed

March 1st, 2016 (UTC 22:00), OpenSSL.org published new security advisory [1]. At the same time, the details of DROWN attack and CacheBleed are published. This security advisory indicates that 8 vulnerability including them are fixed. They include two “High” severity vulnerabilities. These two are caused from the contents in the original paper of DROWN attack and recognized as attacks which enable description of ciphertext in SSL/TLS. Even if we use the latest version of Web browser, the ciphertext can be decrypted if SSL/TLS server still supports SSLv2.

Using SSLv2 is currently not allowed due to several problems [2]. Especially, in the case of FREAK attack which was presented last year, it is turned out that some Web server still use Export-grade weak cryptographic algorithms, then the configuration of web server is reconsidered. However, it is pointed out that SSLv2 is not obsoleted at actual web servers. Export-grade cryptographic algorithms are vulnerable as a symmetric cipher because is has 40bit-security.

On the other hand, DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) attack [3] enables an attack on the 128-bit symmetric ciphers which is currently recognized as secure, even we do not use the weak export-grade cipher. The conditions of attack are following two.

Man-in-the-middle attack can be mounted (target ciphertext can be observed by an attacker). The attacker can access to the SSLv2-enabled server and the server is operated by using RSA key pair which is used to build the secure channel.

For the latter condition, the server is not necessarily to be the target server; the attack can be mounted if there is another server with same key pair. This kind of reuse of key pair is happen in the test-purpose servers, and same cases are reported for the different kinds of protocol such as HTTPS and SMTPS.

The existence of SSLv2-enabled server is the required condition of this attack. This attack uses a known attacking techniques called Bleichenbacher attack [4] on RSA encryption. This is a kind of padding oracle attack, and it decrypt by using try and error and step by step manner like POODLE attack. RSAES-PKCS1-v1_5, which is categorized as obsolete cipher in the CRYPTREC cipher list, clearly defined the specification of padding and the decryption algorithm return error in the case of format error of ciphertext. This attack uses the error reporting mechanism and it decrypts ciphertext if the decryption algorithm return an error.

CVE-2016-0800 is assinged to DROWN attack, however, please note that following three CVE number are assigned to the original paper [6]

  • [High] Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
  • [High] Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703)
  • [Moderate] Bleichenbacher oracle in SSLv2 (CVE-2016-0704)

The second and third were fixed in the release of OpenSSL in March 2015.

CVE-2016-0800 is applicable not only on OpenSSL, but on following products, because it is effective in the SSLv2 enabled environment

  • IIS(SSLv2 disabled from IIS7 by default configration)
  • NSS(SSLv2 disabled from version 3.13)
  • Apache
  • Postfix
  • nginx


It is estimated that 33% of HTTPS servers which DROWN attack can affect and 22% of browser-trusted servers, are vulnerable. Therefore, we should reconsider the configuration of servers same as the case of FREAK/Logjam attacks. At the time of checking, needed things are checking if the server enables SSLv2 and if the key pair is reused at other servers.

This vulnerability is widely reported like HeartBleed bug in April 2014, however, the effect of this is definitive due to following reasons:

  • No regeneration of key pair and reissue of certificate are needed.
  • Past ciphertext cannot be decrypted if the SSLv2 server is currently operated.

The countermeasure is update of OpenSSL and place proper server configuration to not to use obsolete and vulnerable cryptographic algorithms. Such proper action is desired.


In this security advisory, a timing attack on OpenSSL is also published. It claims that 4,096bit RSA key can be obtained with 16,000 decryption operation and it is applicable on LibreSSL, and NSS. However, it is categorized as “Low security” because the attacker must observe CPU in the same machine and vulnerable CPU is definitive.


OpenSSL Security Advisory [1st March 2016]

RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0

The DROWN Attack

D. Bleichenbacher, "Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1",

CRYPTREC Ciphers List

N. Aviram et.al, "DROWN: Breaking TLS using SSLv2"

CacheBleed: A Timing Attack on OpenSSL Constant Time RSA

 Today:1 Total:1443

powered by QHM 6.0.4 haik
based on PukiWiki 1.4.7 License is GPL. QHM

最新の更新 RSS  Valid XHTML 1.0 Transitional