Bug 1310593 (CVE-2016-0800, DROWN)

Summary: CVE-2016-0800 SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN)
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: asantos, bbaranow, bmaxwell, cdewolf, chazlett, crrobins, csutherl, dandread, darran.lofthouse, dfediuck, dknox, dlawrenc, fdeutsch, fnasser, huwang, jason.greene, jawilson, jclere, jdoyle, jgreguske, jshepherd, lgao, mbabacek, miburman, myarboro, pachoramos1, pdwyer, pgier, pkliczew, pmatouse, psakar, pslavice, redhat-bugzilla, rhatlapa, rnetuka, rsvoboda, sardella, security-response-team, sherold, slawomir, slong, spinder, theute, tmraz, twalsh, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssl 1.0.1s, openssl 1.0.2g Doc Type: Bug Fix
Doc Text:
A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker could potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN.
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-25 19:43:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1301848, 1301849, 1301850, 1301851, 1301852, 1311103, 1311104, 1311478, 1311479, 1311480, 1311481, 1311482, 1311483, 1311484, 1311867, 1312239, 1312240, 1312891, 1312892, 1313366, 1313378, 1313595, 1313598, 1313619, 1314097, 1314718, 1314719, 1314720, 1314721    
Bug Blocks: 1301847    
Attachments:
Description Flags
OpenSSL upstream patch none

Description Huzaifa S. Sidhpurwala 2016-02-22 10:24:03 UTC
A group of security researchers discovered that SSLv2 (Secure Sockets Layer protocol version 2.0) is vulnerable to the Bleichenbacher RSA padding oracle attack, which can be used to decrypt RSA cipher text without knowledge of the matching private RSA key by observing responses form a server that has the private key and performs decryption of attacker provided cipher texts using that key. This flaw is a SSLv2 protocol issue and affects all implementations of the protocol.

They also demonstrated a cross-protocol attack which allows them to decrypt SSL/TLS sessions using newer protocol versions - SSLv3 or any current TLS (Transport Layer Security) version (1.0 - 1.2) - using this SSLv2 weakness.  This cross-protocol attack was named DROWN - Decrypting RSA using Obsolete and Weakened eNcryption.

Additionally, flaws were found in the SSLv2 protocol implementation in the OpenSSL cryptography and SSL/TLS library, which make it possible to perform a more efficient variant of the DROWN attack, referred to as special DROWN. These
issues were assigned CVE-2016-0703 (bug 1310811) and CVE-2016-0704 (bug
1310814), and were already recently corrected as part of the fix for
CVE-2015-0293 (bug 1202404).

The OpenSSL library is significantly affected by DROWN both because of the implementation issues in older versions that allow efficient attack, and also because SSLv2 is enabled by default when using recommended SSLv23 connection methods.

The NSS (Network Security Services) library also implements SSLv2 protocol, but disables is by default, which limits impact of this issue on the library.

Comment 1 Adam Mariš 2016-02-22 17:30:20 UTC
Created attachment 1129416 [details]
OpenSSL upstream patch

Comment 7 Martin Prpič 2016-02-29 12:26:25 UTC
Acknowledgments:

Name: the OpenSSL project
Upstream: Nimrod Aviram, Sebastian Schinzel

Comment 9 Tomas Hoger 2016-02-29 13:31:58 UTC
Comment on attachment 1129416 [details]
OpenSSL upstream patch

(In reply to Adam Mariš from comment #1)

The OpenSSL upstream patch includes multiple changes:

* SSLv2 is now disabled by default at compile time, which makes it impossible to use SSLv2 via both SSLv2 and SSLv23 connection methods.  Previously, it was possible to build OpenSSL without SSLv2 support by using "no-ssl2" configure option.  That was now made the default and "enable-ssl2" configure option now needs to be provided to enable SSLv2 support.

* When OpenSSL is built with SSLv2 support, SSLv2 is now disabled by default when using SSLv23 connection methods (SSLv23_method(), SSLv23_server_method(), SSLv23_client_method() - see SSL_CTX_new manual page).  To use SSLv2 with SSLv23 connection methods, applications now need to explicitly clear SSL_OP_NO_SSLv2 option on SSL_CTX or SSL objects using SSL_CTX_clear_options() or SSL_clear_options().

The SSLv2 connection methods are not affected by this change.

Note that openssl packages in Fedora 21 and later already have SSLv2 disabled by default when using SSLv23 methods.  In Fedora 22 and later, SSLv3 is disabled by default as well.

http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/commit/openssl-1.0.1h-disable-sslv2v3.patch?h=f22&id=646646611547dd7072b0562ed5f27861fbb12f48

* Weak (40bit EXPORT and 56bit DES) SSLv2 cipher support was removed.  The following ciphers are no longer available:

- EXP-RC2-CBC-MD5 / SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
- EXP-RC4-MD5 / SSL_CK_RC4_128_EXPORT40_WITH_MD5
- DES-CBC-MD5 / SSL_CK_DES_64_CBC_WITH_MD5

* Weak (EXPORT and LOW) SSLv3 cipher support is not compiled in unless OpenSSL is built with "enable-weak-ssl-ciphers" configure option.


Updates in Red Hat products include changes to SSLv23 connection methods and remove weak SSLv2 ciphers.  Refer to knowledge base article 2176731 (see comment 3 above) for further details.

Comment 10 Martin Prpič 2016-03-01 13:05:37 UTC
Statement:

(none)

Comment 11 Tomas Hoger 2016-03-01 14:13:21 UTC
The site for this issue:

https://www.drownattack.com/

Technical details can be found in the published paper "DROWN: Breaking TLS using SSLv2":

https://www.drownattack.com/drown-attack-paper.pdf

Comment 13 Tomas Hoger 2016-03-01 14:16:43 UTC
Mark Cox's (Red Hat Product Security) blog post:

https://access.redhat.com/blogs/product-security/posts/drown

Comment 14 errata-xmlrpc 2016-03-01 14:46:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 4 Extended Lifecycle Support

Via RHSA-2016:0306 https://rhn.redhat.com/errata/RHSA-2016-0306.html

Comment 15 errata-xmlrpc 2016-03-01 14:48:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5.6 Long Life
  Red Hat Enterprise Linux 5.9 Long Life

Via RHSA-2016:0304 https://rhn.redhat.com/errata/RHSA-2016-0304.html

Comment 16 errata-xmlrpc 2016-03-01 14:50:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.2 Advanced Update Support
  Red Hat Enterprise Linux 6.5 Advanced Update Support
  Red Hat Enterprise Linux 6.4 Advanced Update Support

Via RHSA-2016:0303 https://rhn.redhat.com/errata/RHSA-2016-0303.html

Comment 17 errata-xmlrpc 2016-03-01 14:52:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2016:0302 https://rhn.redhat.com/errata/RHSA-2016-0302.html

Comment 18 errata-xmlrpc 2016-03-01 15:11:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.1 Extended Update Support
  Red Hat Enterprise Linux 6.6 Extended Update Support

Via RHSA-2016:0305 https://rhn.redhat.com/errata/RHSA-2016-0305.html

Comment 19 errata-xmlrpc 2016-03-01 16:09:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:0301 https://rhn.redhat.com/errata/RHSA-2016-0301.html

Comment 26 Pacho Ramos 2016-03-03 11:09:47 UTC
It looks like sslv2 has finally being reenabled to break (near all) reverse deps:
http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/commit/?id=8f6be98bf7b9e9015ad035f34b8414e82c7b68ca

We are facing the same problem in Gentoo... but we have important worries about re-enabling sslv2 support in openssl as it looks it could still cause security risks :/
https://bugs.gentoo.org/show_bug.cgi?id=576128

Comment 29 errata-xmlrpc 2016-03-09 04:09:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:0372 https://rhn.redhat.com/errata/RHSA-2016-0372.html

Comment 30 errata-xmlrpc 2016-03-09 14:49:08 UTC
This issue has been addressed in the following products:

  RHEV-H and Agents for RHEL-6
  RHEV-H and Agents for RHEL-7

Via RHSA-2016:0379 https://rhn.redhat.com/errata/RHSA-2016-0379.html

Comment 31 errata-xmlrpc 2016-03-14 16:44:27 UTC
This issue has been addressed in the following products:

  JBoss Web Server 2.1.0

Via RHSA-2016:0445 https://rhn.redhat.com/errata/RHSA-2016-0445.html

Comment 32 errata-xmlrpc 2016-03-14 20:02:28 UTC
This issue has been addressed in the following products:

  JBoss Web Server 3.0.2

Via RHSA-2016:0446 https://rhn.redhat.com/errata/RHSA-2016-0446.html

Comment 33 Fedora Update System 2016-03-17 18:24:05 UTC
openssl101e-1.0.1e-7.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.

Comment 34 errata-xmlrpc 2016-03-22 16:50:02 UTC
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 6.4.6

Via RHSA-2016:0490 https://rhn.redhat.com/errata/RHSA-2016-0490.html

Comment 35 errata-xmlrpc 2016-07-27 15:32:48 UTC
This issue has been addressed in the following products:

  JBoss Operations Network 3.3.6 

Via RHSA-2016:1519 https://rhn.redhat.com/errata/RHSA-2016-1519.html