Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

11 Heartbleed Facts: Vulnerability Discovery, Mitigation Continue

Millions of websites, applications from Cisco and VMware, Google Play apps, as well as millions of Android devices are vulnerable -- and the list keeps growing.

Just how many products and websites need to be patched, and related digital certificates revoked and reissued, before the Heartbleed vulnerability will be mitigated?

Heartbleed, the recently spotted vulnerability in OpenSSL, could allow attackers to steal websites' private keys. Google engineer Neel Mehta and the Finnish security firm Codenomicon discovered the flaw separately this month. But information about the vulnerability, which later became known as Heartbleed, wasn't made public until OpenSSL issued an April 7 security advisory about a "TLS heartbeat read overrun." At that time, more than half of all web servers, collectively hosting more than 500 million websites, were thought to be vulnerable.

What's the status of Heartbleed vulnerability discovery and related mitigation efforts since then? Here are 11 related facts.

1. Sites: Who patched early?
Before April 7, information about the bug was shared with some organizations -- including Akamai, CloudFlare, and Facebook -- which added safeguards to mitigate the vulnerability, the Sydney Morning Herald reported. Google also informed multiple organizations about the flaw before the information was publicly released, though so far it has declined to name the organizations to which it spoke.

2. Most sites learned about flaw later
However, many other sites appear to have learned about Heartbleed only after OpenSSL issued its April 7 public security advisory. Those sites appear to include Amazon Web Services, Box, Cisco, Dropbox, Flickr, GitHub, GoDaddy, IFTTT, Instagram, Juniper, Netflix, OKCupid, Pinterest, Soundcloud, Tumblr, Twitter, Ubuntu, Vonage, Wikipedia, Wordpress, and Yahoo. Many of those sites have patched the flaw or are in the process of doing so.

3. Good news: Certificate revocations have spiked
What of the millions of other affected sites? Many of them have alrady begun switching out their digital certificates, which is good news. Alex Stanford, research operations manager for the SANS Internet Storm Center, said in a blog post Wednesday that there's been a "massive spike" in recent days in the number of digital certificate revocations reported via the Certificate Revocation Lists (CRLs). This indicates that businesses are reissuing digital certificates that were in place before they patched OpenSSL.

"The spike is so large that we initially thought it was a mistake, but we have since confirmed that it's real! We're talking about over 50,000 unique revocations from a single CRL," Stanford said. "This is by an order of magnitude the largest spike in revocation activity seen in years, according to our current data."

However, one related cause for concern is that the volume of revoked certificates being reported by various CRLs may be so large that, at least in the short term, servers won't be able to keep up with it.

4. Site assessment: Which remain vulnerable?
Which sites are still vulnerable to Heartbleed? Multiple organizations have created tools -- such as the LastPass Heartbleed checker and the Firefox plug-in from proactiveRISK -- to enable consumers to identify which of the sites they use might be vulnerable or have been vulnerable. Other sites are maintaining lists of vulnerable sites and tracking when they've been updated.

When it comes to using website assessment tools, however, you should take their findings with a grain of salt, since their accuracy relies in part on site administrators self-reporting some data. "These checkers will tell you when a site has updated its SSL certificate only if the date that the new SSL certificate was employed was updated as well," Ashley Thurston, community manager at the password manager Dashlane, said in a blog post. "But not all SSL certificate providers updated that date when they rolled out the new certificates. In short, looking at that date is not enough."

5. Users: When to update passwords
For website users, the immediate concern -- and one of the few aspects of the situation over which they have direct control -- concerns their passwords. The prevailing advice at the moment is to change all your passwords, starting with the most critical sites, such as online banking and email accounts. After a vulnerable site has updated its digital certificates, change the passwords again, and that Heartbleed inoculation should be complete.

6. Android: Heartbleed hits 4.1.1, custom 4.2.2
Some Android users are also at risk, and they will have to wait for updates from their device manufacturer or carrier. But who, exactly, is at risk? The mobile security firm Lookout created a Heartbleed Detector, so Android users can assess whether their version of the operating system is vulnerable.

Lookout said via email Tuesday that, of the 102,000 Android users who had used the scanning tool to date and agreed to share their results, only 4% had devices that were vulnerable. Overall, 86% of users running Android 4.1.1 were affected, while 5% of users running 4.2.2 were affected. "This suggests 4.2.2 is patched, and those affected are running custom ROMs."

7. Android apps connect to vulnerable servers
Many Android apps are also at risk from Heartbleed, because they connect to vulnerable servers. Last week, Trend Micro reported finding 1,300 apps on Google Play -- which offers 390,000 apps -- that connected to vulnerable servers, including 15 bank-related apps, 39 payment-related apps, and 10 online shopping apps, as well as "several popular apps" on the IM and mobile-payment front. By Sunday, Trend Micro had reported finding 7,000 Google Play apps that connected to vulnerable servers.

In addition, the company found 273 apps available via Google Play that "are bundled with the standalone affected OpenSSL library, which means those apps can be compromised in any device."

8. Oracle: 20 applications may be vulnerable
For businesses that use Oracle, the company warned in a security advisory Wednesday that six of its applications are vulnerable to Heartbleed and have been patched. Those applications are Oracle Linux 6, MySQL Enterprise Monitor, MySQL Enterprise Server (version 5.6), Oracle Communications Session Monitor Suite (3.3.40, 3.3.50), Oracle Mobile Security Suite, and some instances of Solaris 11.2.

Oracle also said it's still investigating 14 other applications that may be vulnerable to Heartbleed. They range from ATG Products and MySQL Connector/C++ to Oracle Service Bus and Oracle SOA Suite. The company hasn't committed to a timeline for releasing further required patches.

9. VMware
By comparison, VMware has said that 27 of its products will need a Heartbleed patch, and it has promised to ship all related updates by April 19. After being patched, affected products shipped with OpenSSL 1.0.1 will need to have their digital certificates replaced and their passwords reset. The affected products include NSX for Multi-Hypervisor Manager (4.0.x and 4.1.x), vCenter Server 5.5, VMware vCloud Automation Center 6.x, and VMware vCloud Networking and Security 5.5.1.

10. Vendors still reviewing products for Heartbleed
As Cisco's security warning makes clear, many vendors don't yet know how many of their products might be vulnerable to Heartbleed. That's going to create ongoing confusion for enterprise patch managers, compounded by the fact that there's no single, reliable source of information so far about Heartbleed bugs, in part because information about the vulnerability has rapidly become public knowledge.

"The lack of coordination preceding the disclosure of the vulnerability means that everybody is now playing catch-up, trying to contain the damage," Kasper Lingaard, head of research at Secunia, said via email. "Smaller vendors with only a few vulnerable programs in their portfolio, only have a few patches to roll out. But for bigger vendors, like Cisco, IBM and HP, it's a very different story."

11. More infrastructure: Scope still unclear
Furthermore, when it comes to enterprise infrastructure, some security experts say it may take businesses at least another 24 months to patch every last vulnerable internal web server and SSL-enabled service, which may range from FTP and VoIP phones to printers and VPN servers and clients, including OpenVPN. Of course, that timeline assumes businesses correctly inventory and identify all vulnerable systems in the first place.

As that suggests, fixing Heartbleed won't be cheap. Some experts say the cleanup costs, including patching systems and reissuing digital certificates, could run to hundreds or even thousands of dollars per server.

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
4/18/2014 | 10:31:27 PM
Heartbleed
This is a great post Matt. Does anyone have a problem with the way companies were notified? Certain companies were told early, certain companies weren't, and there are vendors that still don't know if their product are vulnerable. Should more have been done to coordinate notification and fixes?

 
Markus5
100%
0%
Markus5,
User Rank: Strategist
4/18/2014 | 3:04:25 AM
When to update the passwords
I will update the passwords now and couple days or weeks later again to make sure I am safe. Luckily I use Sticky Password which helps me with managing the hassle.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...