Last week, we (and the rest of the security community) shared news of a newly discovered vulnerability in OpenSSL dubbed FREAK. This vulnerability rendered millions of Apple and Android devices vulnerable to man-in-the-middle attacks when they visited supposedly secure websites and cloud services. You can read the detailed description of the vulnerability from the discovering researchers here.
Last week the Skyhigh Service Intelligence team reported that 776 cloud services were vulnerable to FREAK 24 hours after its discovery was published. At that time, we also reported that 99% of companies were using at least one cloud provider that was still not patched and that the average company was using 122 vulnerable services.
The latest data on FREAK in the cloud
In addition to reporting the statistics, our Service Intelligence team also worked to inform Skyhigh customers of all the vulnerable services in use at their organization. Today, a week since the vulnerability was first published, we see that the number of cloud services vulnerable to FREAK has only decreased by 8%, from 766 to 703. From the chart below, we can also infer that security admins prefer not to fix vulnerabilities over the weekend (March 7th – 8th).
In addition to measuring the cloud service providers’ response to FREAK, we also looked at data on the usage of FREAK-vulnerable services in the enterprise. We found that today, 83% of companies are using at least one FREAK-vulnerable service, as opposed to 99% last week. Even more telling, we found that the average number of FREAK-vulnerable services used by a company dropped by a significant 67%, from 122 to 40 in the course of the week.
Enterprises respond faster than cloud providers
What’s particularly interesting, when looking at the aggregated data, is that enterprises have been more proactive about eliminating the use of FREAK-vulnerable services than cloud providers – they have reduced the number of FREEAK-vulnerable services they use by an average of 67%, whereas only 8% of cloud providers have fixed the FREAK vulnerability in their product over the same time period.
For the 703 left … this is what to do
In order to close the vulnerability of your cloud service, cloud providers should disable support for export suites. Rather than excluding RSA export cipher suites, administrators should disable support for all known ciphers and enable forward secrecy. Mozilla published a guide here, and a SSL Configuration Generator, which will provide good certifications for common servers.
How to protect your company from FREAK
Here are the four steps that every company needs to take in response to FREAK:
- Determine your service-side exposure: Skyhigh automatically alerted customers to services they use that are affected by FREAK. If you’d like to identify all the affected services in use at your company for free, email us at firstname.lastname@example.org. If you’d like to look up an individual service to see if it’s vulnerable, visit: https://tools.keycdn.com/freak
- Contain your client-side exposure: Ensure that only browser versions that are not susceptible (Chrome, or later versions of IE & Firefox for example). If employees use unmanaged BYOD devices, educate them on the current safe browser list at http://www.computerworld.com/article/2892926/time-to-freak-out-how-to-tell-if-youre-vulnerable.html
- Validate proxy configurations: If you manage your enterprise network and your enterprise uses a MITM proxy (like a web proxy), ensure that the configurations are properly set so it does not degrade.
- Ensure any OpenSSL use within enterprise is updated: If not careful, external facing sites may be fixed first and internal sites/development environments never. Ensure that you don’t take your eye off of internal deployments as well.