Many cloud services remain open to DROWN vulnerability » Charity Digital News

Many cloud services remain open to DROWN vulnerability

More than a week after the ‘DROWN’ vulnerability was identified, a cloud security specialist has said that a high number of cloud services remain open to attack, with charities urged to ensure they don’t compromise customer details as a result.

Skyhigh Cloud Security Labs has found that 620 cloud services remain vulnerable to compromise, compared to 653 a week ago. The company says cloud providers have been slower to respond to DROWN compared with other SSL vulnerabilities of similar scope such as Heartbleed and POODLE, which is bad news for the 98.9 per cent of enterprises who use at least one vulnerable service.


Widespread problem

DROWN was discovered by a team of university researchers, who said that up to 11 million websites that rely on SSL and TTL encryption could be vulnerable.

“DROWN allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. Our measurements indicate 33 per cent of all HTTPS servers are vulnerable to the attack,” the researchers said.

“To protect against DROWN, server operators need to ensure that their private keys are not used anywhere with server software that allows SSLv2 connections. This includes web servers, SMTP servers, IMAP and POP servers, and any other software that supports SSL/TLS,” advise the researchers.

In a paper providing more details about DROWN, the researchers said users were vulnerable if:

  • Sites allow SSLv2 connections, which is surprisingly common, due to a combination of misconfiguration and inappropriate default settings.
  • The server’s private key is used on any other server that allows SSLv2 connections, even for another protocol. Many companies re-use the same certificate and key on their web and email servers, for instance. In this case, if the email server supports SSLv2 and the web server does not, an attacker can take advantage of the email server to break TLS connections to the web server. Taking key re-use into account, some 16 per cent of HTTPS servers are also vulnerable, putting one-third of HTTPS servers at risk.

Related reading