Bug 1310593 - (CVE-2016-0800, DROWN) CVE-2016-0800 SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN)
CVE-2016-0800 SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN)
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20160301,repo...
: Security
Depends On: 1301848 1301849 1301850 1301851 1301852 1311103 1311104 1311478 1311479 1311480 1311481 1311482 1311483 1311484 1311867 1312239 1312240 1312891 1312892 1313366 1313378 1313595 1313598 1313619 1314097 1314718 1314719 1314720 1314721
Blocks: 1301847
  Show dependency treegraph
 
Reported: 2016-02-22 05:24 EST by Huzaifa S. Sidhpurwala
Modified: 2017-05-25 15:43 EDT (History)
47 users (show)

See Also:
Fixed In Version: openssl 1.0.1s, openssl 1.0.2g
Doc Type: Bug Fix
Doc Text:
A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker could potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-05-25 15:43:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
OpenSSL upstream patch (53.91 KB, patch)
2016-02-22 12:30 EST, Adam Mariš
no flags Details | Diff

  None (edit)
Description Huzaifa S. Sidhpurwala 2016-02-22 05:24:03 EST
A group of security researchers discovered that SSLv2 (Secure Sockets Layer protocol version 2.0) is vulnerable to the Bleichenbacher RSA padding oracle attack, which can be used to decrypt RSA cipher text without knowledge of the matching private RSA key by observing responses form a server that has the private key and performs decryption of attacker provided cipher texts using that key. This flaw is a SSLv2 protocol issue and affects all implementations of the protocol.

They also demonstrated a cross-protocol attack which allows them to decrypt SSL/TLS sessions using newer protocol versions - SSLv3 or any current TLS (Transport Layer Security) version (1.0 - 1.2) - using this SSLv2 weakness.  This cross-protocol attack was named DROWN - Decrypting RSA using Obsolete and Weakened eNcryption.

Additionally, flaws were found in the SSLv2 protocol implementation in the OpenSSL cryptography and SSL/TLS library, which make it possible to perform a more efficient variant of the DROWN attack, referred to as special DROWN. These
issues were assigned CVE-2016-0703 (bug 1310811) and CVE-2016-0704 (bug
1310814), and were already recently corrected as part of the fix for
CVE-2015-0293 (bug 1202404).

The OpenSSL library is significantly affected by DROWN both because of the implementation issues in older versions that allow efficient attack, and also because SSLv2 is enabled by default when using recommended SSLv23 connection methods.

The NSS (Network Security Services) library also implements SSLv2 protocol, but disables is by default, which limits impact of this issue on the library.
Comment 1 Adam Mariš 2016-02-22 12:30 EST
Created attachment 1129416 [details]
OpenSSL upstream patch
Comment 7 Martin Prpič 2016-02-29 07:26:25 EST
Acknowledgments:

Name: the OpenSSL project
Upstream: Nimrod Aviram, Sebastian Schinzel
Comment 9 Tomas Hoger 2016-02-29 08:31:58 EST
Comment on attachment 1129416 [details]
OpenSSL upstream patch

(In reply to Adam Mariš from comment #1)

The OpenSSL upstream patch includes multiple changes:

* SSLv2 is now disabled by default at compile time, which makes it impossible to use SSLv2 via both SSLv2 and SSLv23 connection methods.  Previously, it was possible to build OpenSSL without SSLv2 support by using "no-ssl2" configure option.  That was now made the default and "enable-ssl2" configure option now needs to be provided to enable SSLv2 support.

* When OpenSSL is built with SSLv2 support, SSLv2 is now disabled by default when using SSLv23 connection methods (SSLv23_method(), SSLv23_server_method(), SSLv23_client_method() - see SSL_CTX_new manual page).  To use SSLv2 with SSLv23 connection methods, applications now need to explicitly clear SSL_OP_NO_SSLv2 option on SSL_CTX or SSL objects using SSL_CTX_clear_options() or SSL_clear_options().

The SSLv2 connection methods are not affected by this change.

Note that openssl packages in Fedora 21 and later already have SSLv2 disabled by default when using SSLv23 methods.  In Fedora 22 and later, SSLv3 is disabled by default as well.

http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/commit/openssl-1.0.1h-disable-sslv2v3.patch?h=f22&id=646646611547dd7072b0562ed5f27861fbb12f48

* Weak (40bit EXPORT and 56bit DES) SSLv2 cipher support was removed.  The following ciphers are no longer available:

- EXP-RC2-CBC-MD5 / SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
- EXP-RC4-MD5 / SSL_CK_RC4_128_EXPORT40_WITH_MD5
- DES-CBC-MD5 / SSL_CK_DES_64_CBC_WITH_MD5

* Weak (EXPORT and LOW) SSLv3 cipher support is not compiled in unless OpenSSL is built with "enable-weak-ssl-ciphers" configure option.


Updates in Red Hat products include changes to SSLv23 connection methods and remove weak SSLv2 ciphers.  Refer to knowledge base article 2176731 (see comment 3 above) for further details.
Comment 10 Martin Prpič 2016-03-01 08:05:37 EST
Statement:

(none)
Comment 11 Tomas Hoger 2016-03-01 09:13:21 EST
The site for this issue:

https://www.drownattack.com/

Technical details can be found in the published paper "DROWN: Breaking TLS using SSLv2":

https://www.drownattack.com/drown-attack-paper.pdf
Comment 13 Tomas Hoger 2016-03-01 09:16:43 EST
Mark Cox's (Red Hat Product Security) blog post:

https://access.redhat.com/blogs/product-security/posts/drown
Comment 14 errata-xmlrpc 2016-03-01 09:46:56 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 4 Extended Lifecycle Support

Via RHSA-2016:0306 https://rhn.redhat.com/errata/RHSA-2016-0306.html
Comment 15 errata-xmlrpc 2016-03-01 09:48:38 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5.6 Long Life
  Red Hat Enterprise Linux 5.9 Long Life

Via RHSA-2016:0304 https://rhn.redhat.com/errata/RHSA-2016-0304.html
Comment 16 errata-xmlrpc 2016-03-01 09:50:23 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.2 Advanced Update Support
  Red Hat Enterprise Linux 6.5 Advanced Update Support
  Red Hat Enterprise Linux 6.4 Advanced Update Support

Via RHSA-2016:0303 https://rhn.redhat.com/errata/RHSA-2016-0303.html
Comment 17 errata-xmlrpc 2016-03-01 09:52:31 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2016:0302 https://rhn.redhat.com/errata/RHSA-2016-0302.html
Comment 18 errata-xmlrpc 2016-03-01 10:11:34 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.1 Extended Update Support
  Red Hat Enterprise Linux 6.6 Extended Update Support

Via RHSA-2016:0305 https://rhn.redhat.com/errata/RHSA-2016-0305.html
Comment 19 errata-xmlrpc 2016-03-01 11:09:03 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:0301 https://rhn.redhat.com/errata/RHSA-2016-0301.html
Comment 26 Pacho Ramos 2016-03-03 06:09:47 EST
It looks like sslv2 has finally being reenabled to break (near all) reverse deps:
http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/commit/?id=8f6be98bf7b9e9015ad035f34b8414e82c7b68ca

We are facing the same problem in Gentoo... but we have important worries about re-enabling sslv2 support in openssl as it looks it could still cause security risks :/
https://bugs.gentoo.org/show_bug.cgi?id=576128
Comment 29 errata-xmlrpc 2016-03-08 23:09:27 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:0372 https://rhn.redhat.com/errata/RHSA-2016-0372.html
Comment 30 errata-xmlrpc 2016-03-09 09:49:08 EST
This issue has been addressed in the following products:

  RHEV-H and Agents for RHEL-6
  RHEV-H and Agents for RHEL-7

Via RHSA-2016:0379 https://rhn.redhat.com/errata/RHSA-2016-0379.html
Comment 31 errata-xmlrpc 2016-03-14 12:44:27 EDT
This issue has been addressed in the following products:

  JBoss Web Server 2.1.0

Via RHSA-2016:0445 https://rhn.redhat.com/errata/RHSA-2016-0445.html
Comment 32 errata-xmlrpc 2016-03-14 16:02:28 EDT
This issue has been addressed in the following products:

  JBoss Web Server 3.0.2

Via RHSA-2016:0446 https://rhn.redhat.com/errata/RHSA-2016-0446.html
Comment 33 Fedora Update System 2016-03-17 14:24:05 EDT
openssl101e-1.0.1e-7.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Comment 34 errata-xmlrpc 2016-03-22 12:50:02 EDT
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 6.4.6

Via RHSA-2016:0490 https://rhn.redhat.com/errata/RHSA-2016-0490.html
Comment 35 errata-xmlrpc 2016-07-27 11:32:48 EDT
This issue has been addressed in the following products:

  JBoss Operations Network 3.3.6 

Via RHSA-2016:1519 https://rhn.redhat.com/errata/RHSA-2016-1519.html

Note You need to log in before you can comment on or make changes to this bug.