jerryl

The DROWN Attack:  Configuring Your Operations Manager's Web Security

Blog Post created by jerryl on Mar 1, 2016

The DROWN attack - described at https://drownattack.com/ - is the latest security issue to receive broad attention on the Internet.  Here's the background:  Secure - "https" - connections have been implemented in a series of protocols.  The initial versions where named SSL, and went through three revisions starting in 1995.  TLS 1.0, introduced in January 1999 - 16 years ago! - was a more-secure replacement for SSLv3.  It has since been superseded by TLS 1.1 (10 years ago!) and TLS 1.2 (8 years ago!).  All versions prior to TLS 1.1 are known to be insecure, and should no longer be used.

 

VMTurbo Operations Manager instances include a copy of the Apache Web server.  This is what your browser connects to when you use the VMTurbo UI.  VMTurbo ships Apache's default configuration.  Apache wants to support even very old browsers, so accepts SSLv3 and later.  Modern security scans frequently report this configuration as "insecure".  However, modern browsers do not request the use of protocols older the TLS 1.1, and Apache will accept their request.  In practice, the presence of support for the older protocols has been seen as a minor historical curiosity.

 

Until today.  The DROWN attack documents a practical mechanism by which an attacker could create his own SSL connections and leverage them to exploit an otherwise-secure TLS connection.  The "historical curiosity" has become a vulnerability.

 

The protocols that Apache accepts are specified in a configuration file, /etc/apache2/vhosts.d/vhost-ssl. Attached to this message is a copy of an updated version of that file that enables the highest security settings currently available.  IE 11 and all current versions of Chrome, Firefox, and Safari (and other modern browsers) can connect successfully to an Apache server using these settings.  IE 9 and 10 will connect if the optional TLS 1.1 support in those browsers is enabled; an attachment illustrates the necessary changes. Note that Microsoft officially dropped all support for versions of IE older than IE 11 as of January 12, 2016.

 

To put the secure settings into place:

  1. Use ssh to log in to your VMTurbo Operations Manager instance as root.
  2. Put a copy of the attached file - unzipped if your browser hasn't done it for you - in /tmp/vhost-ssl.
  3. Rename the current version of the file: 

    mv /etc/apache2/vhosts.d/vhost-ssl /etc/apache2/vhosts.d/vhost-ssl.save

  4. Move the new version into place:

    mv /tmp/vhost-ssl /etc/apache2/vhosts.d/vhost-ssl

  5. Make sure the ownership and protection are correct:

    chown root:root /etc/apache2/vhosts.d/vhost-ssl

    chmod 644 /etc/apache2/vhosts.d/vhost-ssl

  6. Restart the Apache service:

    service apache2 restart

You do not need to restart the VMTurbo (tomcat) process or the VM itself.

 

Red Hat note:  On Red Hat, the name of the service you need to restart is httpd.

Attachments

Outcomes