Heartbleed Alert: Vulnerability PersistsResearcher Says 250,000 Systems Still Have Serious Flaw
The Heartbleed bug remains present on about 250,000 servers and other systems that connect to the Internet, according to Robert David Graham, who heads information security research firm Errata Security.
Graham has been conducting massive scans of the Internet, looking for signs of the Heartbleed bug, which is present in some versions of the widely used OpenSSL cryptographic toolkit. "When I scan the Internet, I see around 250,000 vulnerable servers," Graham says. "They are mostly things like cameras, NAS [network attached storage] boxes, small mom-and-pop servers, and forgotten servers that aren't really used anymore."
Multiple security experts, reached for comment on Graham's findings, say that while they don't have the means to independently verify them, the continuing prevalence of Heartbleed bugs in systems does not surprise them.
How Heartbleed Lingers
Numerous types of online communications - ranging from browsing websites, to using e-mail and instant messaging tools, to virtual private networks - rely on OpenSSL to maintain users' security and privacy. But the number of systems that are vulnerable to Heartbleed hasn't declined substantially since May 2014, when Graham found about 300,000 vulnerable systems. Still, that did mark a sharp decline from the 600,000 vulnerable systems he recorded the previous month, in the days after the OpenSSL vulnerability was made public on April 7, 2014.
Graham's May 2014 scan found about 1.5 million systems that support the "heartbeat" feature in OpenSSL. His research suggests that about 83 percent of vulnerable servers and devices have now been patched.
Craig Williams, who manages Cisco's Talos Security Intelligence and Research Group, tells Information Security Media Group that his team's scans have found slightly more than 1 million systems running OpenSSL, of which 56 percent have a version that is more than 50 months old. Not all of those systems are vulnerable to Heartbleed, however, because the bug was introduced with OpenSSL 1.0.1, which was released March 14, 2012. No prior versions of OpenSSL - including 1.0.0 and 0.9.8 - were vulnerable.
Heartbleed was fixed with OpenSSL version 1.0.1g, which was released on April 7, 2014, after which many enterprises went into furious patching mode, beginning with their OpenSSL-using Apache servers.
Many devices that run embedded firmware, such as NAS boxes, Internet-connected cameras and SOHO devices, still use outdated - if not Heartbleed-vulnerable - OpenSSL, Graham says. So security researchers recommend that IT administrators ensure they maintain an accurate inventory of all such network-connected devices, track related operating system and firmware versions, and apply related updates as quickly as possible. Should updates for outdated or Heartbleed-vulnerable versions of OpenSSL not yet be available for a device, the prevailing security wisdom is to either quarantine or replace such devices.
Attacks Leave No Traces
Heartbleed remains a serious flaw that an attacker can use to access the memory of systems that run the open source cryptographic tool and eavesdrop on communications, steal data, as well as impersonate sites, services or users, all without leaving a trace (see Application Security: Four Key Steps). The flaw can also be targeted to launch distributed denial-of-service attacks. "It absolutely still represents a threat," says Alan Woodward, who's a visiting professor at the department of computing at Britain's University of Surrey. "We have seen attacks that have exploited routers and similar embedded devices not just by using them as a means of entry to a network but also in co-opting them in mounting onward attacks such as DDOS attacks."
The prevalence of Heartbleed provides would-be criminals with yet another potential technique for automatically exploiting large numbers of devices. "Criminals are constantly scanning the Internet for vulnerable devices, including those with the OpenSSL vulnerability," says Dublin-based Brian Honan, who heads Ireland's computer emergency response team and serves as a cybersecurity adviser to the association of European police agencies known as Europol.
Heartbleed-exploiting hack attacks have been blamed for a breach of U.K. parenting website Mumsnet that led to 1.5 million user accounts being exposed. Some security experts also say that Heartbleed was the "initial entry point" in the hack attack against Community Health Systems, which operates 206 hospitals in 29 states. The breach led to the compromise of 4.5 million patients' information.
Culprit: Embedded Firmware
Many security experts say that they're not surprised that there are still so many systems that are vulnerable to Heartbleed. "Why am I not surprised? Well, when we all learned of OpenSSL issues - as with the Bash bug - the biggest threat was always going to be where it was used in an embedded way, as such firmware is updated much less often than the main servers we all tend to think about when such a flaw is found," Woodward says.
"Embedded software - firmware - is updated less frequently for two reasons: the operators tend not to think about doing updates, and the suppliers tend not to issue as many updates, because the devices are very price-sensitive and a new model is produced every few months," he adds. Such forced obsolescence on the part of some manufacturers means the only way to secure some devices - which, by the way, underpin the burgeoning Internet of Things - may be to throw them out and buy a new one, which is precisely what many experts recommend doing. "Anything more than a few models old, and you tend to be a distant memory for some suppliers," Woodward warns.
Unless that happens, however, it's unlikely that the number of devices that are vulnerable to Heartbleed will decline quickly from the 250,000-mark. That's because another patching reality is simply that not every vulnerable system gets fixed. Indeed, beyond Heartbleed, "there are many other widely known security vulnerability in various applications and operating systems that still remain unpatched," Honan says. That's also why many vulnerabilities never die, but rather - after an initial flurry of fixes - fade away, sometimes very, very slowly.