Many companies are still recovering from the SSL Heartbleed bug released back in April 2014. Now, administrators everywhere can add another SSL vulnerability to their patch list. Factoring Attack on RSA-EXPORT Keys (FREAK) is an SSL/TLS vulnerability that affects OpenSSL versions 1.01k and earlier, Apple’s SecureTransport, and Windows Schannel TLS library. The vulnerability forces the use of a weaker cipher suite that can be cracked within a few hours.
The FREAK vulnerability is a product of old US government restrictions that restricted the exportation of strong encryption to foreign markets. This policy allowed intelligence agencies to continue surveillance of overseas entities. Support for the weak algorithm continues to exist in many products. Patches are available from many venders to address this vulnerability including Microsoft’s patch release of MS15-031, MS15-018 (Internet Explorer), and MS15-022 (Office).
FREAK, among other vulnerabilities, illustrates the importance of effective patch and vulnerability management. Products such as Tivoli Endpoint Manager (TEM), WSUS, and many others can assist administrators in deploying updates in a timely manner. Qualys Vulnerability Management can be used in conjunction with these products to identify any vulnerable devices on the network. QID’s 123362, 91025, and 42442 have recently been released by Qualys to identify FREAK in Apple, Microsoft, and general remote services.
When it comes to vulnerabilities, Infogressive recommends the wash, rinse, repeat method. Run a vulnerability scan to identify any potential threats to your network. Next, apply patches and any other fixes that the scans recommend. After remediation, launch another vulnerability scan to verify those vulnerabilities no longer exist. Repeat this weekly to maintain the security of the network.
New threats emerge every day. They constantly evolve and become more sophisticated. Identifying vulnerabilities before the adversaries do is paramount to an organization’s credibility, security, and success. While the FREAK may not have bit you this time, it’s only a matter of time before something else tries. Always be proactive, never reactive.