Early March, researchers discovered deadly DROWN vulnerability in OpenSSL that affects more than 11 million modern websites and e-mail services protected by SSLv2 protocol. Bkav took a deep look into Viet Nam’s situation, and learned that hundreds of important websites were affected, putting users’ data as passwords, private information, credit card details at risk of being stolen.
Among affected systems, there are 58% in the financial sector, 21% in the petroleum sector, 11% in industrial and consumer goods sectors, 5% in the technology and telecommunication sectors, and 5% in the transportation and tourism sector.
Bkav urgently informed affected organizations and supported them to address the issue, securing customers’ information.
What is DROWN attack?
DROWN stands for "Decrypting RSA with Obsolete and Weakened eNcryption."
DROWN uses weaknesses in the SSLv2 protocol, affecting encrypted connections such as HTTPS and other services that rely on SSL and TLS HTTPS. These protocols allow everyone on the Internet to browse the web, use email, shop online, and remotely access internal applications of organizations.
DROWN attack could allow an attacker to access user’s sensitive data as passwords, private information, credit card details, access private emails or illegally access the internal network of organizations.
According to Bkav, DROWN is more difficult to exploit than Heartbleed vulnerability because hackers must perform a Man-in-the-Middle attack. However, the risk of exploiting this vulnerability to steal users’ credentials is feasible. Administrators should promptly disable SSLv2 protocol to secure their systems and users.
System administrators can use Bkav’s tool dubbed DROWN Checker to check if their systems are vulnerable. The tool is available at http://tools.whitehat.vn. Click on the link and put your server’s domain to perform the check.
How to address DROWN attack
Step 1: Check if your website is vulnerable to DROWN attack by using the tools.whitehat.vn
Step 2: Disable the vulnerability as the detailed instructions for each operating system
For Windows server
To turn off SSLv2 on Windows, use the tool provided by Microsoft (http://go.microsoft.com/?linkid=9742318).
In case it is unable to use this tool, change in registry (note to back up before making any changes to ensure the operation of server)
- In Registry Editor, search for the directory HKey_Local_Machine\System\CurrentControlSet\Contro l\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Server
- Right-click on Server, select New -> Add DWORD (32 bit) Value
- Name as “Enabled” and set the value of 0
- Restart server
* Note: In case it is unable to find SSL 2.0 in the protocol, create this folder and follow the instruction as above.
For Linux server
- For OpenSSL 1.0.1: Upgrade to OpenSSL 1.0.1s
tar –xvzf http://www.openssl.org/source/openssl-1.0.1s.tar.gz
sudo make install
- For OpenSSL 1.0.2: Upgrade to OpenSSL 1.0.2g
tar –xvzf http://www.openssl.org/source/openssl-1.0.2g.tar.gz
sudo make install