As many as 575 cloud-based services have been left at risk to the newly discovered LogJam crypto vulnerability, according to cloud security specialists Skyhigh Networks.
LogJam creates a means for hackers to weaken encrypted connections between a user and a web or email server. The vulnerability was discovered as part of investigations into the FREAK flaw, found earlier in the year.
The bug allows hackers to trick the browser into believing that it is using a regular encryption key, rather than the smaller "export" key, which is more easily broken. The vulnerability reportedly puts more than 20,000 websites at risk. Some experts reckon the hacker needs to be on the same network as an intended victim but this still leaves open the possibility of tampering with the connection of cloud-based service users and more in Wi-Fi hotspots and other locations. Spy agencies who have effective control of country-wide networks might also be able to exploit the flaw.
Based on analysis of 10,000 cloud applications and data from more than 17 million global cloud users, cloud visibility firm Skyhigh Networks reckons that 575 cloud services are potentially vulnerable to man-in-the middle attacks. The average company uses 71 potentially vulnerable cloud services.
Nigel Hawthorn, EMEA director of strategy at Skyhigh Networks, commented: "To patch the vulnerability, cloud providers should disable support for export suites, deploy elliptic-curve Diffie-Hellman, and generate a strong, unique Diffie-Hellman Group. Likewise, individual organisations must determine and contain both their client-side and service-side exposure. For instance, simple steps like making sure employees only use browser versions that are not vulnerable, such as patched versions of Chrome or Firefox."
Skyhigh Networks' technology allows organisations to monitor employee cloud use and lock down banned apps. A blog post by Sekhar Sarukkai, co-founder and VP of Engineering at Skyhigh Networks, explained the issue from its perspective in greater depth and can be found here.
Tod Beardsley, engineering manager at Rapid7, the firm behind MetaSplot, commented: "LogJam is another padding oracle attack (the PO in POODLE), and like POODLE, it requires man-in-the-middle (MitM) positioning. The only two groups really in a position to take advantage of this vulnerability are (1) criminals on coffee shop Wi-Fi networks; and (2) state actors who already control a huge chunk of the local internet – the usual rogue's gallery of internet criminals are not really a risk here.
"While this attack may be easier to execute than POODLE, as no downgrade to SSLv3 is required, the attack still relies on intentionally weak "export grade" ciphers from the early days of the internet," Beardsley added.
James Maude, security engineer at Avecto, said that the LogJam flaw shows how internet regulations and architecture decisions made more than 20 years ago are continuing to throw up problems.
"The LogJam issue highlights how far back the long tail of security stretches," Maude commented. "As new technologies emerge and cryptography hardens, many simply add on new solutions without removing out-dated and vulnerable technologies. This effectively undermines the security model you are trying to build. Several recent vulnerabilities such as POODLE and FREAK have harnessed this type of weakness, tricking clients into using old, less secure forms of encryption," he added. ®