Bug 1310593 (CVE-2016-0800, DROWN) - CVE-2016-0800 SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN)
Summary: CVE-2016-0800 SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN)
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-0800, DROWN
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1301848 1301849 1301850 1301851 1301852 1311103 1311104 1311478 1311479 1311480 1311481 1311482 1311483 1311484 1311867 1312239 1312240 1312891 1312892 1313366 1313378 1313595 1313598 1313619 1314097 1314718 1314719 1314720 1314721
Blocks: 1301847
TreeView+ depends on / blocked
 
Reported: 2016-02-22 10:24 UTC by Huzaifa S. Sidhpurwala
Modified: 2021-02-17 04:19 UTC (History)
47 users (show)

Fixed In Version: openssl 1.0.1s, openssl 1.0.2g
Doc Type: Bug Fix
Doc Text:
A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker could potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN.
Clone Of:
Environment:
Last Closed: 2017-05-25 19:43:20 UTC
Embargoed:


Attachments (Terms of Use)
OpenSSL upstream patch (53.91 KB, patch)
2016-02-22 17:30 UTC, Adam Mariš
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0301 0 normal SHIPPED_LIVE Important: openssl security update 2016-03-01 21:07:25 UTC
Red Hat Product Errata RHSA-2016:0302 0 normal SHIPPED_LIVE Important: openssl security update 2016-03-01 19:45:53 UTC
Red Hat Product Errata RHSA-2016:0303 0 normal SHIPPED_LIVE Important: openssl security update 2016-03-01 19:45:41 UTC
Red Hat Product Errata RHSA-2016:0304 0 normal SHIPPED_LIVE Important: openssl security update 2016-03-01 19:45:06 UTC
Red Hat Product Errata RHSA-2016:0305 0 normal SHIPPED_LIVE Important: openssl security update 2016-03-01 20:09:45 UTC
Red Hat Product Errata RHSA-2016:0306 0 normal SHIPPED_LIVE Important: openssl security update 2016-03-01 19:44:56 UTC
Red Hat Product Errata RHSA-2016:0372 0 normal SHIPPED_LIVE Important: openssl098e security update 2016-03-09 09:08:29 UTC
Red Hat Product Errata RHSA-2016:0379 0 normal SHIPPED_LIVE Important: rhev-hypervisor security, bug fix and enhancement update 2016-03-09 19:10:28 UTC
Red Hat Product Errata RHSA-2016:0445 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.0 OpenSSL security update 2017-10-24 20:37:08 UTC
Red Hat Product Errata RHSA-2016:0446 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 3.0.2 OpenSSL Security Update 2016-03-15 00:00:19 UTC
Red Hat Product Errata RHSA-2016:0490 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.6 OpenSSL security update 2016-03-22 20:48:57 UTC
Red Hat Product Errata RHSA-2016:1519 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Operations Network 3.3.6 update 2016-08-26 00:44:36 UTC

Description Huzaifa S. Sidhpurwala 2016-02-22 10:24:03 UTC
A group of security researchers discovered that SSLv2 (Secure Sockets Layer protocol version 2.0) is vulnerable to the Bleichenbacher RSA padding oracle attack, which can be used to decrypt RSA cipher text without knowledge of the matching private RSA key by observing responses form a server that has the private key and performs decryption of attacker provided cipher texts using that key. This flaw is a SSLv2 protocol issue and affects all implementations of the protocol.

They also demonstrated a cross-protocol attack which allows them to decrypt SSL/TLS sessions using newer protocol versions - SSLv3 or any current TLS (Transport Layer Security) version (1.0 - 1.2) - using this SSLv2 weakness.  This cross-protocol attack was named DROWN - Decrypting RSA using Obsolete and Weakened eNcryption.

Additionally, flaws were found in the SSLv2 protocol implementation in the OpenSSL cryptography and SSL/TLS library, which make it possible to perform a more efficient variant of the DROWN attack, referred to as special DROWN. These
issues were assigned CVE-2016-0703 (bug 1310811) and CVE-2016-0704 (bug
1310814), and were already recently corrected as part of the fix for
CVE-2015-0293 (bug 1202404).

The OpenSSL library is significantly affected by DROWN both because of the implementation issues in older versions that allow efficient attack, and also because SSLv2 is enabled by default when using recommended SSLv23 connection methods.

The NSS (Network Security Services) library also implements SSLv2 protocol, but disables is by default, which limits impact of this issue on the library.

Comment 1 Adam Mariš 2016-02-22 17:30:20 UTC
Created attachment 1129416 [details]
OpenSSL upstream patch

Comment 7 Martin Prpič 2016-02-29 12:26:25 UTC
Acknowledgments:

Name: the OpenSSL project
Upstream: Nimrod Aviram, Sebastian Schinzel

Comment 9 Tomas Hoger 2016-02-29 13:31:58 UTC
Comment on attachment 1129416 [details]
OpenSSL upstream patch

(In reply to Adam Mariš from comment #1)

The OpenSSL upstream patch includes multiple changes:

* SSLv2 is now disabled by default at compile time, which makes it impossible to use SSLv2 via both SSLv2 and SSLv23 connection methods.  Previously, it was possible to build OpenSSL without SSLv2 support by using "no-ssl2" configure option.  That was now made the default and "enable-ssl2" configure option now needs to be provided to enable SSLv2 support.

* When OpenSSL is built with SSLv2 support, SSLv2 is now disabled by default when using SSLv23 connection methods (SSLv23_method(), SSLv23_server_method(), SSLv23_client_method() - see SSL_CTX_new manual page).  To use SSLv2 with SSLv23 connection methods, applications now need to explicitly clear SSL_OP_NO_SSLv2 option on SSL_CTX or SSL objects using SSL_CTX_clear_options() or SSL_clear_options().

The SSLv2 connection methods are not affected by this change.

Note that openssl packages in Fedora 21 and later already have SSLv2 disabled by default when using SSLv23 methods.  In Fedora 22 and later, SSLv3 is disabled by default as well.

http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/commit/openssl-1.0.1h-disable-sslv2v3.patch?h=f22&id=646646611547dd7072b0562ed5f27861fbb12f48

* Weak (40bit EXPORT and 56bit DES) SSLv2 cipher support was removed.  The following ciphers are no longer available:

- EXP-RC2-CBC-MD5 / SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
- EXP-RC4-MD5 / SSL_CK_RC4_128_EXPORT40_WITH_MD5
- DES-CBC-MD5 / SSL_CK_DES_64_CBC_WITH_MD5

* Weak (EXPORT and LOW) SSLv3 cipher support is not compiled in unless OpenSSL is built with "enable-weak-ssl-ciphers" configure option.


Updates in Red Hat products include changes to SSLv23 connection methods and remove weak SSLv2 ciphers.  Refer to knowledge base article 2176731 (see comment 3 above) for further details.

Comment 10 Martin Prpič 2016-03-01 13:05:37 UTC
Statement:

(none)

Comment 11 Tomas Hoger 2016-03-01 14:13:21 UTC
The site for this issue:

https://www.drownattack.com/

Technical details can be found in the published paper "DROWN: Breaking TLS using SSLv2":

https://www.drownattack.com/drown-attack-paper.pdf

Comment 13 Tomas Hoger 2016-03-01 14:16:43 UTC
Mark Cox's (Red Hat Product Security) blog post:

https://access.redhat.com/blogs/product-security/posts/drown

Comment 14 errata-xmlrpc 2016-03-01 14:46:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 4 Extended Lifecycle Support

Via RHSA-2016:0306 https://rhn.redhat.com/errata/RHSA-2016-0306.html

Comment 15 errata-xmlrpc 2016-03-01 14:48:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5.6 Long Life
  Red Hat Enterprise Linux 5.9 Long Life

Via RHSA-2016:0304 https://rhn.redhat.com/errata/RHSA-2016-0304.html

Comment 16 errata-xmlrpc 2016-03-01 14:50:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.2 Advanced Update Support
  Red Hat Enterprise Linux 6.5 Advanced Update Support
  Red Hat Enterprise Linux 6.4 Advanced Update Support

Via RHSA-2016:0303 https://rhn.redhat.com/errata/RHSA-2016-0303.html

Comment 17 errata-xmlrpc 2016-03-01 14:52:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2016:0302 https://rhn.redhat.com/errata/RHSA-2016-0302.html

Comment 18 errata-xmlrpc 2016-03-01 15:11:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.1 Extended Update Support
  Red Hat Enterprise Linux 6.6 Extended Update Support

Via RHSA-2016:0305 https://rhn.redhat.com/errata/RHSA-2016-0305.html

Comment 19 errata-xmlrpc 2016-03-01 16:09:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:0301 https://rhn.redhat.com/errata/RHSA-2016-0301.html

Comment 26 Pacho Ramos 2016-03-03 11:09:47 UTC
It looks like sslv2 has finally being reenabled to break (near all) reverse deps:
http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/commit/?id=8f6be98bf7b9e9015ad035f34b8414e82c7b68ca

We are facing the same problem in Gentoo... but we have important worries about re-enabling sslv2 support in openssl as it looks it could still cause security risks :/
https://bugs.gentoo.org/show_bug.cgi?id=576128

Comment 29 errata-xmlrpc 2016-03-09 04:09:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:0372 https://rhn.redhat.com/errata/RHSA-2016-0372.html

Comment 30 errata-xmlrpc 2016-03-09 14:49:08 UTC
This issue has been addressed in the following products:

  RHEV-H and Agents for RHEL-6
  RHEV-H and Agents for RHEL-7

Via RHSA-2016:0379 https://rhn.redhat.com/errata/RHSA-2016-0379.html

Comment 31 errata-xmlrpc 2016-03-14 16:44:27 UTC
This issue has been addressed in the following products:

  JBoss Web Server 2.1.0

Via RHSA-2016:0445 https://rhn.redhat.com/errata/RHSA-2016-0445.html

Comment 32 errata-xmlrpc 2016-03-14 20:02:28 UTC
This issue has been addressed in the following products:

  JBoss Web Server 3.0.2

Via RHSA-2016:0446 https://rhn.redhat.com/errata/RHSA-2016-0446.html

Comment 33 Fedora Update System 2016-03-17 18:24:05 UTC
openssl101e-1.0.1e-7.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.

Comment 34 errata-xmlrpc 2016-03-22 16:50:02 UTC
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 6.4.6

Via RHSA-2016:0490 https://rhn.redhat.com/errata/RHSA-2016-0490.html

Comment 35 errata-xmlrpc 2016-07-27 15:32:48 UTC
This issue has been addressed in the following products:

  JBoss Operations Network 3.3.6 

Via RHSA-2016:1519 https://rhn.redhat.com/errata/RHSA-2016-1519.html


Note You need to log in before you can comment on or make changes to this bug.