The Heartbleed vulnerability is still leaking the security out of the Internet.
A scan of the Internet by Errata Security turned about 300,000 servers still vulnerable to the flaw. The number is half as many as the firm discovered when it did a similar scan in April, but is evidence nonetheless that many sites are falling behind when it comes to patching.
“When the Heartbleed vulnerability was announced, we found 600k systems vulnerable,” blogged security researcher Robert Graham. “A month later, we found that half had been patched, and only 300k were vulnerable. Last night, now slightly over two months after Heartbleed, we scanned again, and found 300k (309,197) still vulnerable. This is done by simply scanning on port 443, I haven’t check other ports.”
“This indicates people have stopped even trying to patch,” he added. “We should see a slow decrease over the next decade as older systems are slowly replaced. Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable. I’ll scan again next month, then at the 6 month mark, and then yearly after that to track the progress.”
As part of the scan, he found 1.5 million systems supporting the Heartbeat feature, with all but the 300,000 patched.
Heartbleed first made the news in April, when it was revealed that attackers could exploit improper input validation in the implementation of the TLS Heartbeat extension in OpenSSL. The vulnerability existed for more than two years before it was patched, and has been tied to a handful of attacks.
“There will always be a long tail of ignored vulnerabilities and decommissioned systems left online,” said Trey Ford, global security strategist at Rapid7. “I expect that we will still see systems vulnerable to Heartbleed on the Internet in five and even ten years from now.”
CISOs and CIOs are should not report to their CEOs, board of directors or the public that they are safe from Heartbleed until they have replaced all their keys and certificates, said Kevin Bocek, vice president of security strategy and threat research at Venafi.
“From the start it was clear: Heartbleed was not just another patch-it vulnerability. It struck at the heart of what creates trust online: SSL keys and certificates,” Bocek said. “Immediately after the Heartbleed vulnerability broke experts – from Bruce Schneier to Gartner’s Erik Heidt – made it clear that to stop Heartbleed SSL keys and certifies must be replaced. Not reissued, but replaced. Meaning that new keys are generated, new certificates issued, and old certificates revoked.”
Most enterprises keep a close watch on their Internet-facing systems, Ford said. But while while they scan frequently for missing patches and deviations from expected configurations, they still find unexpected and vulnerable systems showing up on their perimeter.
“More interesting to me are the systems on the internal network – my bet is the vast majority of organizations have a very large number of systems that are still vulnerable to Heartbleed internally,” he said.