Skyhigh Cloud Security Labs says average enterprise is using 56 leaky cloud services
One week after the critical vulnerability in SSL/TLS named DROWN was disclosed, Skyhigh Cloud Security Labs has found that 620 cloud services remain vulnerable to compromise.
That’s not much lower than the 653 services that were vulnerable a week ago. So far, cloud providers have been slower to respond to DROWN compared with other SSL vulnerabilities of similar scope such as Heartbleed and POODLE, said Skyhigh.
“That’s bad news for the 98.9 percent of enterprises who use at least one vulnerable service. As of today, the average organisation uses 56 vulnerable services,” said Skyhigh’s Sekhar Sarukkai.
DROWN allows attackers to compromise an encrypted session by exploiting a vulnerability in the outdated SSLv2 protocol, even if the session itself is encrypted with the newer and more secure TLS protocol.
This vulnerability enables attackers to intercept encrypted traffic (like passwords, credit card numbers and sensitive corporate data) as well as impersonate a trusted cloud provider and modify traffic to and from the service.
Any cloud provider that still supports SSLv2, or uses a private key shared with a server that supports SSLv2, is vulnerable.
What’s “troubling” about this critical vulnerability, said Sarukkai, is how slow cloud providers have been in responding to patch their services against DROWN by disabling SSLv2 support.
While more cloud services overall were vulnerable to the widely reported Heartbleed compared with DROWN, cloud providers quickly patched their systems to close their Heartbleed vulnerabilities. A week after Heartbleed was disclosed, 92.7 percent of cloud providers initially vulnerable were no longer affected.
A week after DROWN was disclosed, just 5.1 percent of cloud providers that were initially vulnerable have “performed necessary remediation”.
Skyhigh Cloud Security Labs is recommending that all enterprises notify their end users about the vulnerability in the websites and cloud services they use. Some enterprises may also configure their web proxy to redirect users to an educational page, to notify them that their session may not be secure when they attempt to access a vulnerable site or cloud service.
Skyhigh Cloud Security Labs said it will continue to monitor the situation and provide updates as cloud providers secure themselves against DROWN.