It has been roughly a month since the ‘Heartbleed’ vulnerability in OpenSSL became public, and for all the publicity, many organizations remain vulnerable.
According to Netcraft, many organizations are not going far enough to patch the vulnerability. Just 43 percent of the sites the company scanned reissued their SSL certificates in light of the bug, meaning the majority of the sites were still susceptible. In addition, seven percent of the reissued SSL certificates were reissued using the same private key. Fifty-seven percent of the sites took no action whatsoever.
From the start, it was clear that Heartbleed was not a normal vulnerability – it struck at the heart of online trust, Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, told SecurityWeek. The vulnerability is due to certain versions of OpenSSL not properly handling Heartbeat extension packets. The end result is that remote attackers can steal sensitive information from process memory using specially-crafted packets that cause a buffer over-read.
“Immediately after the Heartbleed vulnerability broke experts…made it clear that to stop Heartbleed SSL keys and certifies must bereplaced,” he said. “Not reissued, but replaced – meaning that new keys are generated, new certificates issued and old certificates revoked. Exploits showed private keys could be stolen from servers and even skeptics likeCloudFlareandAkamaimoved quickly to replace keys and certificates.”
“Stolen keys,” he continued, “would allow websites to be impersonated and traffic to be decrypted. And with thousands more applications from IBM, Juniper, Cisco, Symantec, McAfee, Intel andmany,many morevulnerable toHeartbleedbehind proxies and firewalls, the extent of the vulnerabilityleftunremeditatedis likely 100x larger than many think.”
“I cannot emphasize the point enough, but all keys and certificates need to be replacednow,” he said.
Although many secure websites reacted promptly to theHeartbleed bugby patching OpenSSL, replacing their SSL certificates andrevoking the old ones, some have made the critical mistake of reusing the potentially-compromised private key in the new certificate, Netcraft’s Paul Mutton blogged May 9.
Yngve Pettersen, a software developer at Vivaldi Technologies, noted that in the weeks since the disclosure the number of vulnerable servers has gone down, but patching appears to have slowed.
“In the six scans I have made since April 11, the number of vulnerable servers have trended sharply downward, from 5.36% of all servers, to 2.33% this week,” he blogged. “About 20 percent of the scanned servers support the Heartbeat TLS Extension, indicating that up to 75% of the affected servers had been patched before my first scan 4 days after the disclosure. However, while the vulnerability number had been halved, to 2.77%, after 2 weeks, in the most recent scan, 2 weeks later, the number has only been reduced to 2.33%, indicating that patching of vulnerable servers has almost completely stopped.”
Pettersen recommended that servers be patched, certificates updated and revoked and passwords be changed.
Brian Prince is a Contributing Writer for SecurityWeek.Previous Columns by Brian Prince:Microsoft Word Vulnerability Used in Targeted Attacks Against Taiwan Heartbleed Vulnerability Still Beating StrongShadow IT Risk Highlighted in Security ReportMicrosoft Plans to Release 8 Security Bulletins for May Patch TuesdayVulnerability Disclosures Increased in Second Half of 2013: Microsoft
Tags: NEWS INDUSTRY