FREAK Vulnerability Impacting Top Cloud Services & Websites

Image Attribution: Flickr

Skyhigh Networks claims that as of early Friday AM, 766 cloud providers have not yet remediated the FREAK vulnerability on their systems. Skyhigh didn’t specifically name some of the services; although, Skyhigh notes that some of the offenders include popular cloud providers that are used for file storage, HR, security, collaboration, CRM and ERP.
So what exactly is FREAK? The FREAK nickname is derived by its original name which is “Factoring Attack on RSA-EXPORT Keys.” In English, FREAK is a vulnerability in which clients are tricked into using 1990s grade cryptography. The end result is that the hacker is able to see information that is supposed to be encrypted in plain text. A full analysis of FREAK is available at Mitre.org’s Common Vulnerabilities and Exposures website. Even further technical information on FREAK is available on the NIST.gov website.
How to Tell Who is Impacted by FREAK
While Skyhigh Networks doesn’t point the finger at particular cloud services, it does provide end-users a tool that they can use in order to determine if a website they use is unpatched. Since FREAK impacts servers running Apache, there are still a considerable amount of websites in the Alexa Top 1M that have not been fixed.
“The average company uses 897 cloud services, making the likelihood they use at least one affected service extremely high. Across over 350 companies using Skyhigh, 99% are using at least one cloud provider that is still not patched, and the average company uses 122 vulnerable services,” writes Sekhar Sarukkai, Co-Founder and VP of Engineering at Skyhigh Networks.
At the time of this writing, about 9% of Alexa’s top 1M websites are still unpatched. Since IT administrators are scrambling to patch this problem this AM, we won’t specifically call out any providers who aren’t patched. However, it is encouraged to use the FreakAttack website to research websites and cloud providers that may not be patched. If you find a cloud service that is not patched, you may want to contact their support department and inform them of this vulnerability.

CloudWedge