It has been roughly a month since the ‘Heartbleed‘ vulnerability in OpenSSL became public, and for all the publicity, many organizations remain vulnerable.
According to Netcraft, many organizations are not going far enough to patch the vulnerability. Just 43 percent of the sites the company scanned reissued their SSL certificates in light of the bug, meaning the majority of the sites were still susceptible. In addition, seven percent of the reissued SSL certificates were reissued using the same private key. Fifty-seven percent of the sites took no action whatsoever – they have neither reissued nor revoked their old certificates.
From the start, it was clear that Heartbleed was not a normal vulnerability – it struck at the heart of online trust, Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, told SecurityWeek. The vulnerability is due to certain versions of OpenSSL not properly handling Heartbeat extension packets. The end result is that remote attackers can steal sensitive information from process memory using specially-crafted packets that cause a buffer over-read.
“Immediately after the Heartbleed vulnerability broke experts…made it clear that to stop Heartbleed SSL keys and certifies must be replaced,” he said. “Not reissued, but replaced – meaning that new keys are generated, new certificates issued and old certificates revoked. Exploits showed private keys could be stolen from servers and even skeptics like CloudFlare and Akamai moved quickly to replace keys and certificates.”
“Stolen keys,” he continued, “would allow websites to be impersonated and traffic to be decrypted. And with thousands more applications from IBM, Juniper, Cisco, Symantec, McAfee, Intel and many, many more vulnerable to Heartbleed behind proxies and firewalls, the extent of the vulnerability left unremeditated is likely 100x larger than many think.”
“I cannot emphasize the point enough, but all keys and certificates need to be replaced now,” he said.
Although many secure websites reacted promptly to the Heartbleed bug by patching OpenSSL, replacing their SSL certificates and revoking the old ones, some have made the critical mistake of reusing the potentially-compromised private key in the new certificate, Netcraft’s Paul Mutton blogged May 9.
Yngve Pettersen, a software developer at Vivaldi Technologies, noted that in the weeks since the disclosure the number of vulnerable servers has gone down, but patching appears to have slowed.
“In the six scans I have made since April 11, the number of vulnerable servers have trended sharply downward, from 5.36% of all servers, to 2.33% this week,” he blogged. “About 20 percent of the scanned servers support the Heartbeat TLS Extension, indicating that up to 75% of the affected servers had been patched before my first scan 4 days after the disclosure. However, while the vulnerability number had been halved, to 2.77%, after 2 weeks, in the most recent scan, 2 weeks later, the number has only been reduced to 2.33%, indicating that patching of vulnerable servers has almost completely stopped.”
Pettersen recommended that servers be patched, certificates updated and revoked and passwords be changed.
*This story was updated with additional information.