This article is more than 1 year old
PATCH FREAK NOW: Cloud providers faulted for slow response
Pitting 90s technology against modern hackers is ‘no contest’
Hundreds of cloud providers are still vulnerable to the serious FREAK cryptographic vulnerability.
Skyhigh Networks found that 766 cloud services are still at risk 24 hours after FREAK was made public, based on an analysis of more than 10,000 different services.
The average company is using 122 potentially vulnerable services. The two stats taken together imply that more popular cloud services are disproportionately affected by slow patching against FREAK.
The FREAK (Factoring attack on RSA-Export Keys) vulnerability makes it possible for hackers to force browsers to use old ‘export-grade’ encryption and then decipher it in order to steal passwords and other personal information.
Websites as well as cloud services are potentially at risk. OpenSSL patched the vulnerability in January, while characterising the flaw as "low risk".
Although there remains no particular evidence of actual attacks this assessment has been revised this week and the vulnerability is now been treated as serious and easy to exploit on vulnerable systems, if not critical.
One in ten (9.7 per cent) of Alexa Top one million domain remain vulnerable (down from 12.2 per cent initially), according to a dedicated tracking site.
“If the website or cloud service you are accessing is built around Apache, and many are, FREAK is a serious vulnerability," said Nigel Hawthorn, EMEA director of strategy at Skyhigh Networks. "Until patches are made [applied], it’s a case of pitting 90s technology against modern hackers, which is no contest."
NCC Group associate director, Ollie Whitehouse, added: “The impact of exploitation of this vulnerability is in the worst case (Java/CyaSSL), where a threat actor is able to perform a Man-in-the-Middle attacks, the ability to impersonate any server and force the connection to clear-text facilitating eaves dropping and content modification."
FREAK, much like the POODLE SSLv3 security vulnerability before it, underlines the point that many websites and web services allow user to fall back onto cryptographic protocols that are hopelessly insecure.
Hawthorn commented: "The fact that base levels of encryption are still accessible on so many websites is alarming. In theory, these low levels allow any device to communicate with any website using the strongest encryption possible. However, no one is accessing their bank account from an Acorn Computer and FREAK serves as a timely reminder that they should be put out to pasture."
Cloud providers, much like enterprises, need to have pre-patching systems and testing regimes rather than applying updates in the hope they won't break something. Hawthorn accepted this point while arguing there ought to be exceptions.
"Sometimes you have to break with testing regimes because an urgent security vulnerability is in the wild," he told El Reg.
Skyhigh is not naming cloud providers who remain vulnerable to FREAK. However, Hawthorn indicated that bigger enterprise-focused services are among the "patching laggards".
"Quite a lot of popular, enterprise cloud apps remain vulnerable," Hawthorn told El Reg. "The bigger the service is the more likely you are to find some vulnerable server."
Skyhigh Networks' technology allows organisations to monitor employee cloud use and lock down banned apps. The security firm contacted each of the cloud providers affected and is working with them to ensure they are aware of their vulnerability and perform remediation.
Further details about Skyhigh’s data about FREAK can be found in a blog post here. ®