A new OpenSSL vulnerability, DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) was announced earlier this week and it’s affecting servers using SSLv2. This is truly a huge business risk due to how easy the attack is to pull off - for less than $500 dollars. In fact, if you want to see if a site you use is vulnerable – your bank, your health insurance, your favorite online store – you can check it out easily here.
DROWN lets an attacker perform MITM attacks on TLS connections in under 1 minute by sending probes to servers that support SSLv2. The vulnerability impacts roughly 33% of webservers worldwide. Even though this number is significant, it does not account for other services that allow SSLv2, including, email servers, embedded systems, web applications and software supporting SSL/TLS.
Like Heartbleed, there are similarities in required remediation steps. Hopefully organizations will take heed and remediate faster (and more completely) than they did for Heartbleed. Last year, a full year after Heartbleed was discovered, most of the global 2000 organizations that Venafi surveyed had still not yet remediated Heartbleed. That’s why we recommend doing more to remediate (download our DROWN remediation plan).
According to the Ponemon Institute, 100% of organizations have responded to an attack that misuses keys and certificates in the last two years. And an alarming 54% of them are unaware of where all of their keys and certificates are located. Not only are attacks that leverage keys and certificates increasing, their impact is as well. The organizations surveyed by the Ponemon Institute estimated the risk of an attack using keys and certificates at $53 million over the next two years—this considerable risk should be a wakeup call for all organizations.
DROWN points out the need to know what’s trusted and what’s not. That’s why we’re here to help. Download our DROWN Threat Brief and then let us know if we can be of assistance.