Cloud sellers who acted on Heartbleed sink when it comes to DROWN

Response to the critical web-crypto-blasting DROWN vulnerability in SSL/TLS by cloud services has been much slower than the frantic patching witnessed when the Heartbleed vulnerability surfaced two years ago.

DROWN (which stands for Decrypting RSA with Obsolete and Weakened eNcryption) is a serious design flaw that affects network services that rely on SSL and TLS. An attacker can exploit support for the obsolete SSLv2 protocol – which modern clients have phased out but is still supported by many servers – to decrypt TLS connections.

Successful attacks would give hackers the ability to intercept encrypted traffic (eg, passwords, credit card numbers, sensitive corporate data, etc) as well as impersonate a trusted cloud provider and modify traffic to and from the service using a man-in-the-middle attack.

The Heartbleed bug meant attackers could read the memory of the systems protected by the vulnerable versions of OpenSSL. Pretty much anything in memory – SSL private keys, user passwords, and more – was open to thieves preying on unpatched systems as a result of the flaw, which emerged in April 2014.

After one week, the number of cloud services vulnerable to Heartbleed fell from 1,173 to 86 (or a 92.7 per cent reduction). By comparison, susceptibility to DROWN has only fallen from 653 to 620 (5.1 per cent) in the week since it burst onto the scene on Tuesday 1 March, according to figures from Skyhigh Networks' Cloud Security Labs.

Skyhigh reckons 98.9 per cent of enterprises use at least one vulnerable service. The average organisation uses 56 vulnerable cloud services, it reports.

One-third of all HTTPS websites were potentially vulnerable to the DROWN attack at the time it was disclosed last week. Other experts, such as iSight Partners, reckon that DROWN is nowhere near as easy to exploit at Heartbleed because in the case of DROWN, an attacker already needs to be perched on a target network before feeding vulnerable systems attack traffic, among other factors. Heartbleed, by contrast, was much easier to exploit. Even so, the DROWN vulnerability is a good candidate for prompt triage, particularly by the likes of cloud services, which market themselves as an agile and flexible enterprise computing resource.

“Companies are adopting cloud services in record numbers, most of which have gone a long way to prove their worth and security to even the most cloud-sceptic industries such as financial services,” said Nigel Hawthorn, EMEA Marketing Director at Skyhigh Networks. “The cloud service industry acted fantastically in response to Heartbleed, and we need to see the same kind of response to DROWN today, which we haven’t to date.”

Skyhigh Networks' technology allows organisations to monitor employee cloud use and lock down banned apps. ®