One week after critical security flaws in SSL/TLS security were uncovered, some 620 cloud services remain vulnerable to DROWN – with just a handful having taken action over the past seven days.
That is the warning of security company Skyhigh Networks, which follows an analysis of cloud services. Other cloud security companies have warned that many providers still remain unpatched against a slew of other security flaws.
“Skyhigh Cloud Security Labs has found that 620 cloud services remain vulnerable to [DROWN] compromise. That’s not much lower than the 653 services that were vulnerable a week ago,” claimed Skyhigh Networks’ co-founder and vice president of engineering Sekhar Sarukkai.
He continued: “What’s troubling about this critical vulnerability is how slow cloud providers have been in responding to patch their services against DROWN [simply] by disabling SSLv2 support. While more cloud services overall were vulnerable to Heartbleed compared with DROWN, cloud providers quickly patched their systems to close their Heartbleed vulnerabilities.”
He added: “That’s bad news for the 98.9 per cent of enterprises who use at least one vulnerable service. As of today, the average organisation uses 56 vulnerable services.”
Researchers at another security vendor, cloud access security broker Netskope, has drawn similar conclusions. “We have been monitoring SaaS apps to check whether they are vulnerable to DROWN. As part of our research, we have identified 676 software-as-a-service (SaaS) apps that are vulnerable to the attack,” warned Swapnil Pathak, a member of technical staff at Netskope.
According to Netskope, 676 software-as-a-service (SaaS) applications are vulnerable to DROWN. Two of those apps are considered as “high” risk in Netskope’s “Cloud Confidence Index”, 42 apps are rated “medium” and the remainder “low”.
Netskope also claimed that a number of the cloud SaaS applications that it monitors also remain vulnerable to a slew of other recent critical security flaws: 73 apps are still vulnerable to FREAK attack; 42 apps to Logjam; 38 apps to OpenSSL CCS attack; and, seven apps remain vulnerable to Poodle.
Netskope accused SaaS application providers of poor patch-management practices, which could leave clients’ data at risk.
DROWN, which stands for “Decrypting RSA with Obsolete and Weakened eNcryption”, is a cross-protocol vulnerability that affects any server that supports obsolete SSLv2 connections, as well as any other servers (including SMTP and IMAP) that share the same certificate with an SSLv2 server.