One of the famous cross-protocol security bugs is Decrypting RSA with Obsolete and Weakened eNcryption (DROWN) attack. This attack executes by using the application’s support for old, obsolete and insecure SSL v2 protocol. Using this protocol, the attacker leverages an attack on connections using current protocols that would otherwise be secure. This bug can successfully exploit the servers supporting new transport layer security (TLS) protocol suites. The DROWN attack can affect any server that offers services encrypted with transport layer security (TLS). It supports SSLv2, provided they share the same public key credentials between the two protocols. The DROWN attack allows attackers to break the encryption and read sensitive information from the communication channel. The confidential information includes passwords, credit card details, financial data and many more. According to sources, there is as much as 33% of servers on the internet are vulnerable to this attack. Mail servers and other websites that are dependent on TLS are vulnerable to this attack.
Using this vulnerability, an attacker can:-
Beagle recommends the following precautions:-