A group of security researchers discovered that SSLv2 (Secure Sockets Layer protocol version 2.0) is vulnerable to the Bleichenbacher RSA padding oracle attack, which can be used to decrypt RSA cipher text without knowledge of the matching private RSA key by observing responses form a server that has the private key and performs decryption of attacker provided cipher texts using that key. This flaw is a SSLv2 protocol issue and affects all implementations of the protocol. They also demonstrated a cross-protocol attack which allows them to decrypt SSL/TLS sessions using newer protocol versions - SSLv3 or any current TLS (Transport Layer Security) version (1.0 - 1.2) - using this SSLv2 weakness. This cross-protocol attack was named DROWN - Decrypting RSA using Obsolete and Weakened eNcryption. Additionally, flaws were found in the SSLv2 protocol implementation in the OpenSSL cryptography and SSL/TLS library, which make it possible to perform a more efficient variant of the DROWN attack, referred to as special DROWN. These issues were assigned CVE-2016-0703 (bug 1310811) and CVE-2016-0704 (bug 1310814), and were already recently corrected as part of the fix for CVE-2015-0293 (bug 1202404). The OpenSSL library is significantly affected by DROWN both because of the implementation issues in older versions that allow efficient attack, and also because SSLv2 is enabled by default when using recommended SSLv23 connection methods. The NSS (Network Security Services) library also implements SSLv2 protocol, but disables is by default, which limits impact of this issue on the library.
Created attachment 1129416 [details] OpenSSL upstream patch
External References: https://access.redhat.com/articles/2176731 https://www.openssl.org/news/secadv/20160301.txt https://www.drownattack.com/
Acknowledgments: Name: the OpenSSL project Upstream: Nimrod Aviram, Sebastian Schinzel
Comment on attachment 1129416 [details] OpenSSL upstream patch (In reply to Adam Mariš from comment #1) The OpenSSL upstream patch includes multiple changes: * SSLv2 is now disabled by default at compile time, which makes it impossible to use SSLv2 via both SSLv2 and SSLv23 connection methods. Previously, it was possible to build OpenSSL without SSLv2 support by using "no-ssl2" configure option. That was now made the default and "enable-ssl2" configure option now needs to be provided to enable SSLv2 support. * When OpenSSL is built with SSLv2 support, SSLv2 is now disabled by default when using SSLv23 connection methods (SSLv23_method(), SSLv23_server_method(), SSLv23_client_method() - see SSL_CTX_new manual page). To use SSLv2 with SSLv23 connection methods, applications now need to explicitly clear SSL_OP_NO_SSLv2 option on SSL_CTX or SSL objects using SSL_CTX_clear_options() or SSL_clear_options(). The SSLv2 connection methods are not affected by this change. Note that openssl packages in Fedora 21 and later already have SSLv2 disabled by default when using SSLv23 methods. In Fedora 22 and later, SSLv3 is disabled by default as well. http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/commit/openssl-1.0.1h-disable-sslv2v3.patch?h=f22&id=646646611547dd7072b0562ed5f27861fbb12f48 * Weak (40bit EXPORT and 56bit DES) SSLv2 cipher support was removed. The following ciphers are no longer available: - EXP-RC2-CBC-MD5 / SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 - EXP-RC4-MD5 / SSL_CK_RC4_128_EXPORT40_WITH_MD5 - DES-CBC-MD5 / SSL_CK_DES_64_CBC_WITH_MD5 * Weak (EXPORT and LOW) SSLv3 cipher support is not compiled in unless OpenSSL is built with "enable-weak-ssl-ciphers" configure option. Updates in Red Hat products include changes to SSLv23 connection methods and remove weak SSLv2 ciphers. Refer to knowledge base article 2176731 (see comment 3 above) for further details.
Statement: (none)
The site for this issue: https://www.drownattack.com/ Technical details can be found in the published paper "DROWN: Breaking TLS using SSLv2": https://www.drownattack.com/drown-attack-paper.pdf
OpenSSL advisory: https://www.openssl.org/news/secadv/20160301.txt Related OpenSSL upstream commits: https://git.openssl.org/?p=openssl.git;a=commitdiff;h=56f1acf5ef8a432992497a04792ff4b3b2c6f286 https://git.openssl.org/?p=openssl.git;a=commitdiff;h=a82cfd612b30258c7d720153298846727b06b046 https://git.openssl.org/?p=openssl.git;a=commitdiff;h=abd5d8fbef7085499ba7785622da4e8288068f46 OpenSSL upstream blog post: https://openssl.org/blog/blog/2016/03/01/an-openssl-users-guide-to-drown/
Mark Cox's (Red Hat Product Security) blog post: https://access.redhat.com/blogs/product-security/posts/drown
This issue has been addressed in the following products: Red Hat Enterprise Linux 4 Extended Lifecycle Support Via RHSA-2016:0306 https://rhn.redhat.com/errata/RHSA-2016-0306.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 5.6 Long Life Red Hat Enterprise Linux 5.9 Long Life Via RHSA-2016:0304 https://rhn.redhat.com/errata/RHSA-2016-0304.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.2 Advanced Update Support Red Hat Enterprise Linux 6.5 Advanced Update Support Red Hat Enterprise Linux 6.4 Advanced Update Support Via RHSA-2016:0303 https://rhn.redhat.com/errata/RHSA-2016-0303.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2016:0302 https://rhn.redhat.com/errata/RHSA-2016-0302.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.1 Extended Update Support Red Hat Enterprise Linux 6.6 Extended Update Support Via RHSA-2016:0305 https://rhn.redhat.com/errata/RHSA-2016-0305.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2016:0301 https://rhn.redhat.com/errata/RHSA-2016-0301.html
It looks like sslv2 has finally being reenabled to break (near all) reverse deps: http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/commit/?id=8f6be98bf7b9e9015ad035f34b8414e82c7b68ca We are facing the same problem in Gentoo... but we have important worries about re-enabling sslv2 support in openssl as it looks it could still cause security risks :/ https://bugs.gentoo.org/show_bug.cgi?id=576128
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2016:0372 https://rhn.redhat.com/errata/RHSA-2016-0372.html
This issue has been addressed in the following products: RHEV-H and Agents for RHEL-6 RHEV-H and Agents for RHEL-7 Via RHSA-2016:0379 https://rhn.redhat.com/errata/RHSA-2016-0379.html
This issue has been addressed in the following products: JBoss Web Server 2.1.0 Via RHSA-2016:0445 https://rhn.redhat.com/errata/RHSA-2016-0445.html
This issue has been addressed in the following products: JBoss Web Server 3.0.2 Via RHSA-2016:0446 https://rhn.redhat.com/errata/RHSA-2016-0446.html
openssl101e-1.0.1e-7.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: JBoss Enterprise Application Platform 6.4.6 Via RHSA-2016:0490 https://rhn.redhat.com/errata/RHSA-2016-0490.html
This issue has been addressed in the following products: JBoss Operations Network 3.3.6 Via RHSA-2016:1519 https://rhn.redhat.com/errata/RHSA-2016-1519.html