There is quite a buzz around the newly disclosed FREAK (Factoring attack on RSA Export Keys) vulnerability, affecting major browsers, servers, and even mobile devices. When exploited, this vulnerability allows an attacker to force you (or the systems in your environment) to downgrade to a weaker grade of encryption, giving the attacker a better chance of decrypting (and then stealing) your information.
While most major hardware/software vendors and owners of websites have patched this flaw, many are still susceptible to this type of attack. Based on scans done by the University of Michigan team (instrumental in disclosing this flaw), an estimated 36.7% of the 14 million websites offering browser-trusted certificates were vulnerable at the time of disclosure. This includes some high profile pages like nsa.gov, irs.gov or even the omnipresent connect.facebook.com (the source of all Facebook “Like” buttons).
The Freak vulnerability allows:
- An attacker to intercept your sensitive, encrypted, web sessions via a man-in-the-middle attack, putting you and your clients at risk.
- An attacker can redirect users to malicious sites and harvest credentials, allowing them to pivot and attack your environment directly and steal your sensitive data (intellectual property).
- An attacker to force weak encryption to make stealing your data easier
This vulnerability is wide-spread, affecting every Windows version, Apple’s mobile and desktop operating systems, and Google Android.
Since the exploitation of this vulnerability relies on forcing you to use weaker encryption, our AlienVault Labs team has released several IDS signatures as well as a correlation rule to identify when vulnerable servers or clients are being forced to offer weak encryption due to the FREAK vulnerability.
You can get more details on the latest USM threat intelligence updates here.