Categories: Channel ResearchIT TrendsSecurity

Most cloud providers not protecting users against DROWN threat

One week after the critical vulnerability in SSL/TLS named DROWN was disclosed, Skyhigh Cloud Security Labs has found that 620 cloud services remain vulnerable to compromise.

That’s not much lower than the 653 services that were vulnerable a week ago. So far, cloud providers have been slower to respond to DROWN compared with other SSL vulnerabilities of similar scope such as Heartbleed and POODLE, said Skyhigh.

That’s bad news for the 98.9 percent of enterprises who use at least one vulnerable service. As of today, the average organisation uses 56 vulnerable services,” said Skyhigh’s Sekhar Sarukkai.

DROWN allows attackers to compromise an encrypted session by exploiting a vulnerability in the outdated SSLv2 protocol, even if the session itself is encrypted with the newer and more secure TLS protocol.

This vulnerability enables attackers to intercept encrypted traffic (like passwords, credit card numbers and sensitive corporate data) as well as impersonate a trusted cloud provider and modify traffic to and from the service.

Any cloud provider that still supports SSLv2, or uses a private key shared with a server that supports SSLv2, is vulnerable.

What’s “troubling” about this critical vulnerability, said Sarukkai, is how slow cloud providers have been in responding to patch their services against DROWN by disabling SSLv2 support.

While more cloud services overall were vulnerable to the widely reported Heartbleed compared with DROWN, cloud providers quickly patched their systems to close their Heartbleed vulnerabilities. A week after Heartbleed was disclosed, 92.7 percent of cloud providers initially vulnerable were no longer affected.

A week after DROWN was disclosed, just 5.1 percent of cloud providers that were initially vulnerable have “performed necessary remediation”.

Skyhigh Cloud Security Labs is recommending that all enterprises notify their end users about the vulnerability in the websites and cloud services they use. Some enterprises may also configure their web proxy to redirect users to an educational page, to notify them that their session may not be secure when they attempt to access a vulnerable site or cloud service.

Skyhigh Cloud Security Labs said it will continue to monitor the situation and provide updates as cloud providers secure themselves against DROWN.

@AntonySavvas

Antony Savvas

York, UK-based Antony Savvas has been a technology journalist for 25 years and has expertise in all major areas of enterprise and consumer IT. He has worked for a number of leading technology magazines and websites and his work is syndicated across the internet. He also undertakes corporate work for some of the world's leading technology companies.

Leave a Comment
Share
Published by
Antony Savvas
Tags: cloudsecurityvulnerability
8 years ago

Recent Posts

Flashpoint enters new chapter with global partner programme

Security vendor Flashpoint debuts partner programme following $28m funding

7 years ago

Channel partner “disconnect” hindering growth

Complex buying journeys and sprawling partner networks hampering customer experience, says Accenture

7 years ago

Cyxtera launches global channel partner programme

Datacentre provider Cyxtera says launch is “milestone in our go-to-market strategy”

7 years ago

US IT provider brings mainframe services to UK

Ensono highlights importance of mainframes still to major industries

7 years ago

VASCO and Nuvias expand distribution across EMEA

Security vendor VASCO looks to replicate UK and German set up across EMEA

7 years ago

Splunk says channel investments driving growth

Splunk details investment in Partner+ programme at .conf2017

7 years ago