Despite the rush to patch systems at risk to the massive transport layer security (TLS) vulnerability, known as DROWN, hundreds of cloud services are still at risk of attack. According to two independent research firms, Netskope and Skyhigh Networks, a week after the vulnerability was identified DROWN still presents a high risk to companies.
Skyhigh Cloud Security Labs estimates the number of cloud services vulnerable to DROWN has only fallen from 653 to 620 (5.1 per cent) within the past week. It maintains the patch response to DROWN pales in comparison to similar vulnerabilities such as Heartbleed. One week after fixes for Heartbleed were made available, by comparison, the number of cloud services still vulnerable dropped 92.7 percent.
Netskope researchers estimate 676 Software-as-a-Service applications are vulnerable to a DROWN attack. Two of those apps are considered as “high” risk, 42 apps are rated “medium” and the remainder “low”. Netskope’s app risk assessment is based on seven criteria including the apps financial viability, privacy implications and reliance on service level agreements.
Ravi Balupari, Netskope’s director of engineering and head of cloud security research, said the type of SaaS applications most vulnerable to DROWN are cloud storage, collaboration and HR related. Balupari said, Netskope began monitoring SaaS apps on Monday and has seen the number of vulnerable servers drop about 10 percent each day.
“By the end of today we expect the number of DROWN vulnerable servers to drop to 564,” Balupari said. “That slow pace to patch servers is a concern. The rate at which we saw Heartbleed patched was much faster,” he said.
Threatpost attempted to contact companies behind three apps identified by Netskope. One of the company’s Threatpost attempted to contact shut down several years ago. The other two companies did not return email requests for comment.
In its report, Skyhigh estimates 98.9 percent of enterprises use at least one DROWN-vulnerable cloud service.
Balupari said a slower response to DROWN is likely attributed to the fact Heartbleed was a much easier vulnerability for an attacker to exploit compared to DROWN. Despite a slower response rate, Balupari said he expects over time to see the number of DROWN-vulnerable SaaS applications drop to levels similar to applications still vulnerable to attacks via FREAK (73), Logjam (42) and Poodle (7).
Sebastian Schinzel, professor at Münster University of Applied Sciences, Germany and one of the researchers that discovered the DROWN vulnerability, said he was bit surprised by the slow patch response to DROWN.
“Given DROWN is an easier patch deployment than Heartbleed, which requires an enterprise to take services offline to fix, I would of thought those numbers would be lower.” But he acknowledged that whether it’s Heartbleed, POODLE or DROWN there are always going to be a certain percentage of servers that just don’t get fixed.
“Heartbleed and Logjam are still out there. DROWN is going to follow the same pattern,” Schinzel said. “Let’s say 33 percent of servers were vulnerable to DROWN and in a month the number drops to 3 percent. That 3 percent won’t go away until the hardware dies.”
Schinzel said researchers who discovered DROWN have been very pleased with the response they have seen from the DROWN alert it posted last week. Schinzel said he can’t confirm how many cloud services remain vulnerable. However, based on the numbers of companies that have scanned apps at test.drownattack.com “the response has been good,” Schinzel said.