33% of all HTTPS servers are vulnerable to DROWN: Who’s at risk and what you need to know
In March, a team of researchers released details surrounding DROWN, a security vulnerability in OpenSSL that can affect over 11 million websites and email services protected by SSLv2. Our dedicated research team analyzed over 16,000 websites to see which industries and domains had the most vulnerabilities to DROWN.
But first, let’s unpack DROWN.
Why is DROWN Dangerous?
DROWN is a dangerous vulnerability because it has such a widespread reach and is both easy and quick to exploit. The researchers at DrownAttack estimate that over 33 percent of all HTTPS servers are vulnerable to DROWN and the flaw affects 11.5 million servers including those of Buzzfeed, Alibaba, Flickr, and Samsung. The DROWN vulnerability can allow hackers to steal any kind of sensitive information, from passwords, to credit card numbers, to email and communication data.
DROWN affects HTTPS, SSL, and TLS protocols designed to keep services, servers, and websites safe. Servers are vulnerable to DROWN if they allow SSLv2 connections or if they reuse private keys on any server that also allows SSLv2 connections. TLS protocols can be exploited through private key reuse because an SSLv2 server using the same key as a TLS one can be used to attack the TLS server.
Many companies reuse private keys across servers. This is a common, but insecure practice for related servers such as web and email servers. Certificate Authorities (CA) have also been known to issue previously used keys as well. This was seen during the Heartbleed vulnerability, where 30k TLS and SSL certificates were revoked and reissued with the same keys. The SEC Consult also found that 580 unique keys analyzed from over 4000 embedded devices of 70 vendors contained the private keys for more than 9% of all HTTPS hosts on the web, and 6% of all SSH hosts on the web.
Who is Most Vulnerable to DROWN?
In March 2016 we analyzed over 16,000 domains and found the most domains with DROWN detected in the education industry, with government and telecommunications close behind. The entertainment, information services, and technology industries had the fewest domains detected with DROWN, having less than half as many domains detected compared to the education industry.
When looking at company sizes, domains with an IP range of over 1K are three times as likely to be more impacted by DROWN compared to domains with an IP range smaller than 1K. Because this was such a drastic indicator of risk, we decided to find industries within the 1K range that were most affected by DROWN.
In organizations with a large IT footprint of 1000+ IPs, we detected the highest prominence of DROWN among the education, telecommunications and construction industries. The industries with the fewest domains detected with DROWN include the financial services industry, retail, and hospitality.
What Can You Do About Drown?
According to Drown Attack, which offers more details surrounding the vulnerability, companies should:
- Upgrade any OpenSSL versions to OpenSSL 1.0.2g.
- For any Microsoft IIS server users, SSLv2 support should be disabled.
- Check the DROWN Attack website to find out if your domain or IP address is vulnerable
Unfortunately, there is nothing individuals or companies can do regarding browsers and other clients – due to the nature of the DROWN vulnerability, only server operators are able to address the issue.
We’ve recently updated our scoring system to factor in DROWN vulnerability, which allows you to better understand your own security and the security of any potential third party vendors, ensuring they aren’t leaving themselves and their partners vulnerable to this dangerous attack.
For SecurityScorecard customers, you can check the vulnerability of any of your vendors through our platform, specifically filtering for a number of well known CVEs, including DROWN, FREAK, POODLE, among others. For a detailed look into the IP addresses vulnerable to the listed CVEs, check the ‘issues’ section and ‘show details’ on your Patching Cadence score.