DROWN Vulnerability Puts 22% of Servers at Risk
A new vulnerability, dubbed DROWN, has been discovered in SSL v2, the first version of SSL released in 1995. This vulnerability puts up to 22% of servers at risk, highlighting the danger of outdated cryptographic systems.
DROWN exploits a weakness in the way servers handle RSA key exchange during the TLS handshake. Even if client devices or servers do not support SSL v2, the attack can still succeed if the same RSA key is used elsewhere. This is an extension of the 1998 Bleichenbacher attack and can decrypt one out of every 1,000 full TLS handshakes.
Attacking automated services is easier than attacking browser sessions due to session caching and the lack of credentials in user sessions. Organizations and server operators using outdated OpenSSL versions with support for SSLv2 are affected by the DROWN attack. The best attack variant targets these vulnerable systems. The cost of the generic DROWN attack is $440 and 8 hours, but it can be sped up by increasing the budget.
The discovery of DROWN underscores the importance of keeping cryptographic systems up-to-date. Disabling SSL v2 on all servers is the recommended remediation for this vulnerability. Server operators are urged to patch their systems and disable SSL v2 to protect against potential attacks.
Read also:
- Web3 social arcade extends Pixelverse's tap-to-earn feature beyond Telegram to Base and Farcaster platforms.
- Over 5,600 Road Safety Violations Caught in Manchester Trial
- Jaguar Land Rover Resumes Production After Cyberattack, UK Govt & Banks Provide £3.5B Support
- French Police Arrest ShinyHunters Hacker Group Leader After Kering Data Breach
