Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

DROWN Vulnerability Still Unpatched by Most Cloud Services

A high severity vulnerability revealed last week that affects HTTPS and other services that rely on SSL and TLS has not been patched by most affected cloud services, according to a recent scan.

A high severity vulnerability revealed last week that affects HTTPS and other services that rely on SSL and TLS has not been patched by most affected cloud services, according to a recent scan.

To demonstrate the impact of this security issue, a team of researchers published a paper (PDF) on a cross-protocol attack method that involves the old SSLv2 protocol still supported by many servers. 

Dubbed DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), the attack allows potential adversaries to crack encrypted communications and steal potentially sensitive data.

DROWN provides attackers with the ability to compromise an encrypted session even if the session is encrypted with the newer and more secure TLS protocol. As a result, attackers can intercept encrypted traffic, impersonate a trusted cloud provider, and also modify traffic to and from the service.

DROWN shows that merely supporting SSLv2 is a threat to modern servers and clients,” the security researchers explained. “It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.”

How DROWN TLS Attack Works

Last week, the OpenSSL Project released updates to resolve several vulnerabilities in the crypto library, including CVE-2016-0800, a high severity flaw said to affect a quarter of the top one million HTTPS domains (overall, over 2.3 million HTTPS servers are vulnerable), as well as one-third of all HTTPS websites.

One week after the high severity flaw was discovered, 620 out of 653 cloud services were found to be still vulnerable to compromise, Skyhigh Cloud Security Labs’ Sekhar Sarukkai notes in a blog post. The report shows that cloud providers have been slow to respond to DROWN, although they acted faster when SSL vulnerabilities such as Heartbleed and POODLE were discovered.

Advertisement. Scroll to continue reading.

With the average organization using 56 vulnerable services and with 98.9 percent of enterprises using at least one vulnerable service, this lack of reaction doesn’t spell good news, Sarukkai says. The vulnerability affects all cloud providers that still support SSLv2 or use a private key shared with a server that supports SSLv2.

Previously, cloud providers reacted more promptly when similar critical vulnerabilities were revealed, with 92.7 percent of the affected cloud providers having patched their systems to close the Heartbleed vulnerabilities within the first week. In the case of DROWN, only 5.1 percent of vulnerable cloud providers have performed necessary remediation within the first week.

Last year, security firm Venafi revealed that one year after the famous Heartbleed OpenSSL vulnerability (CVE-2014-0160) was disclosed, 74 percent of Global 2000 organizations still hadn’t completely remediate the risks.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.