Vulnerabilities / Threats
5/9/2014
01:05 PM
Connect Directly
RSS
E-Mail
50%
50%

Accidental Heartbleed Vulnerabilities Undercut Recovery Effort

Scans find 300,000 affected servers, but a surprising number of newly vulnerable servers have surfaced since Heartbleed warning was first sounded.

Update (5/13/2014): After working with F5 to track down the apparent surge in machines sporting the Heartbleed vulnerability, researcher Yngve Petterson has revised his findings: "Due to an issue with the network connection of the prober the test used to detect F5 BigIP [servers, it] showed higher numbers than it should have, and the numbers of such servers therefore got very inflated for the scans that were run in the past month. This means that the BigIP-related information and conclusions are not correct. ... My apologies to F5 and their customers for this mistake."

10 Ways To Fight Digital Theft & Fraud
10 Ways To Fight Digital Theft & Fraud
(Click image for larger view and slideshow.)

Heartbleed recovery efforts are being partially undermined by new servers coming online that use a vulnerable version of the popular OpenSSL cryptographic software library.

That warning was sounded by software developer Yngve Pettersen at Vivaldi Technologies, based on ongoing scans he's conducted -- focusing on sites listed on the Alexa list of the world's million most popular websites that sport the OpenSSL vulnerability. He began regularly scanning about 500,000 different servers, 20% of which include Heartbeat TLS Extension support, after the vulnerability was discovered in early April.

The good news is that overall rates have sharply declined. "In the six scans I have made since April 11, the number of vulnerable servers [has] trended sharply downward, from 5.36% of all servers, to 2.33% this week," Pettersen said Wednesday in a blog post. In fact, he said 75% of all vulnerable servers appeared to have been patched within four days of the bug being discovered.

Other scanning efforts have also charted a steep decline in the number of vulnerable servers. For example, port 443 scans conducted by Errata CEO Robert Graham one month ago found that more than half a million servers appeared to have the vulnerability. Since then, however, the number of vulnerable systems appears to have halved.

[Here's what you should know about recent authentication-protocol implementation security flaws: OAuth, OpenID Flaw: 7 Facts.]

"Whereas my previous scan a month ago found 600,000 vulnerable systems, today's scan found roughly 300,000 thousand systems -- 318,239 to be precise," Graham said Thursday in a blog post. That was out of a total of 1.5 million systems he detected that support the "heartbeat" feature. "Note that only OpenSSL supports heartbeats, meaning that the vast majority of SSL-supporting servers are based on software other than OpenSSL," he said. Graham also emphasized that he scanned IPv4 addresses, which won't produce like-for-like comparisons with other types of scans, for example of the DNS domain names Pettersen scanned.

While the overall drop in vulnerable sites -- by either measure -- is good news, based on his ongoing scans, Pettersen has unearthed two problems. First, many patched servers are still using their old digital certificates. "Given that any server that was patched after April 7 has to be assumed to have had its certificate private key compromised -- because criminals may have used Heartbleed to compromise their server -- this indicates a serious problem for the users of those sites," Pettersen said.

Second, there's been an alarming rise in the number of new servers that sport Heartbleed, including a sizeable number of F5's BigIP crypto accelerator servers. "In my most recent scan, 20% of the currently vulnerable servers -- as distinguished by IP addresses -- and 32% of the vulnerable BigIP servers were NOT vulnerable when they were scanned previously," he said. "This means that thousands of sites have gone from not having a Heartbleed problem to having a Heartbleed problem."

Pettersen sees two likely explanations for the increase in new servers harboring Heartbleed. First, the number of BigIP servers he's spotting has doubled in the past month, likely because F5 customers have brought new BigIP servers online. Evidently, many of those servers are using older, vulnerable firmware and haven't yet been patched to eliminate Heartbleed.

Another potential explanation for the surge in newly vulnerable machines is that some IT administrators may have thought that their OpenSSL-using servers were vulnerable to Heartbleed when they weren't. "This, perhaps combined with administrative pressure and a need to 'do something,' led them to upgrade an unaffected server to a newer but still buggy version of the system, perhaps because the system variant had not yet been officially patched," Pettersen said.

Going forward, patch managers will need to keep a close eye on version control to avoid accidentally upgrading to a Heartbleed-vulnerable version of their enterprise software before a patched version becomes available. "We expect to see administrators update to a fixed version, revoking and re-issuing certificates, and take various other steps that are applicable for their setup, as soon as possible," said Kasper Lindgaard, director of research and security at Secunia, via email.

But patches are not yet available for all vulnerable products. Accordingly, Lindgaard said, "We are not yet at a stage where everybody can simply patch. Some vendors are still in the process of identifying vulnerable products and developing patches. It will definitely take some time before we reach the milestone where it is only the end users that need to patch."

Cyber-criminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Read our Advanced Attacks Demand New Defenses report today. (Free registration required.)

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SgS125
50%
50%
SgS125,
User Rank: Moderator
5/12/2014 | 4:07:11 PM
Re: Heartbleed is a vulnerability, not an infection
Thanks for the correction,  I am so tired of reading about the "Heartbleed Virus"  the "Heartbleed worm" and the many other inaccuarate descriptions that have flown by my desk.

It's too funny when you get these requests to verify your systems from trading partners that have the request sent out by the marketing department.

I started correcting them but the flood of crap just got bigger too quickly.

 

And thanks to KJH for correcting the Article as well.

 

 
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
5/12/2014 | 11:37:17 AM
Possible reason for increase in vulnerable machines.
In my experience many system administrators do not pay very close attention to security issues.  The commons sysadmin is more concerned with getting a working server up and online.  In the same way that programmers are generally more concerned with producing usable code over secure coding, sysadmins have a similar mindset when it comes to servers.

Therefore, it is the responsibility of the information security office to constantly remind IT operations of the security vulnerabilities in a particular product.  Also, it is of the upmost importance that prior to allowing a server to be put in production or placed in the DMZ, it must be evaluated for vulnerabilities.

 

 
Bprince
50%
50%
Bprince,
User Rank: Ninja
5/11/2014 | 1:59:36 PM
Heartbleed
Some more bad news about Heartbleed  - A study from Netcraft (http://news.netcraft.com/archives/2014/05/09/keys-left-unchanged-in-many-heartbleed-replacement-certificates.html) found that of all the scanned sites impacted by Heartbleed, only 43 percent had reissued their SSL certificates. On top of that, 7 percent had done so with the same private key.

BP

 
JérômeM921
50%
50%
JérômeM921,
User Rank: Apprentice
5/10/2014 | 4:13:53 PM
A good VPN tetraupload
This is why i'm use a good VPN to protect my IP address :)
If you want take a look to this great speed VPN: http://tetraupload.com 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/9/2014 | 3:01:29 PM
Re: Heartbleed is a vulnerability, not an infection
You're correct, @Mrs. Y. It was used as a figure of speech, but is not the right word that should have been used. We will fix that wording. Thank you for pointing this out.
Tyson S
50%
50%
Tyson S,
User Rank: Apprentice
5/9/2014 | 2:50:21 PM
Our company's Heartbleed audit
After patching our Apache web servers, our IT group conducted an audit to see if bad guys had used the Heartbleed exploit against us previously. How did they do that? Well, our company makes a network appliance that parses all SSL transactions going over the wire in our environment, among other things. We could look back to see if there were any heartbeat messages (the attack vector in this case) to our devices since March 2012 when the vulnerability was first introduced. Our dog food tastes great! You can read the details here: http://www.extrahop.com/post/blog/how-extrahops-it-team-performed-a-heartbleed-audit-going-back-years/
Mrs. Y
50%
50%
Mrs. Y,
User Rank: Apprentice
5/9/2014 | 1:48:06 PM
Heartbleed is a vulnerability, not an infection
Heartbleed is a vulnerability arising from the hearbeat functionality of OpenSSL. I'm not sure where you got the idea that this is malware or an "infection." Hearbleed is an exploit technique against vulnerable version of OpenSSL. You're giving out incorrect information and you should correct this in your article.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.