Security professionals are being warned to re-check their systems after researchers revealed that up half the servers affected by the global Heartbleed flaw remain unpatched - and it could be months before the ‘long tail' of vulnerable systems are fixed, if ever.
In a May 8 blog post, ‘white-hat' hacker Rob Graham, CEO of Errata Security, said that one month after the Heartbleed flaw in the OpenSSL library first hit the headlines, he has scanned the internet and found over 300,000 of the 600,000 servers originally affected remain vulnerable.
Likewise Yngve Pettersen, a software developer at Opera Software and security specialist for TLS Prober Labs, blogged on May 7 that while he had found 5.36 percent of all servers were vulnerable to Heartbleed four days after it was announced, the proportion currently at risk remains close to half that number, 2.33 percent.
His figures differ from Graham's in that Pettersen says many servers could have been patched in the days before his first scan, meaning the proportion still unfixed could be just 10 to 15 percent of those originally at risk, rather than half. He also reassures users that “most publicly used vulnerable sites have been patched”.
But the two surveys show that In the best case tens of thousands of servers - and worst case hundreds of thousands - remain unpatched.
Pettersen also warns that efforts to fix the flaw have all but ground to a halt. He writes: “While the vulnerability number had been halved, to 2.77 percent, after two weeks, in the most recent scan, two weeks later, the number has only been reduced to 2.33 percent, indicating that patching of vulnerable servers has almost completely stopped.”
Pettersen also believes that in their rush to do something about Heartbleed, thousands of systems administrators have upgraded unaffected servers to a newer, but still ‘buggy' version of OpenSSL. “This means that thousands of sites have gone from not having a Heartbleed problem, to having a Heartbleed problem!” he said.
Pettersen also warns of a “more problematic issue”. All servers that have been patched since April 7 should have replaced their old digital certificate, because it has to be assumed these certificates were comprised by Heartbleed. But Pettersen says up to two-thirds have not renewed their certificates. “This indicates a serious problem for the users of those sites,” he says.
Other security experts contacted by SC agree that, despite the uncertainty of the statistics, Heartbleed remains a major problem – and say security professionals should re-check their public-facing servers as the long haul to patch the flaw continues.
Paul Stone, senior consultant at UK-based independent security consultancy Context Information Security, told SC UK via email: “It's not surprising that so many servers are still vulnerable. After the initial rush to patch the vulnerability in the days after it was made public, there is now ‘long tail' of vulnerable servers that will be gradually patched over many months but will never completely disappear.
“Those responsible for corporate IT security should double-check their public-facing servers to make sure that none are still vulnerable to Heartbleed. It is possible that while web servers have been patched, things like mail servers or appliances that support SSL could have been missed.”
Stone added: “For users, most of the ‘important' sites they use have probably been patched such as banking and e-commerce, but there may be one or two smaller sites they use that are still affected.”
Security expert Keith Bird, UK MD of network security specialist Check Point, was equally unsurprised at the backlog of patching work for over-burdened IT security teams.
He told SCMagazineUK.com via email: “Given the scale of the Heartbleed bug, it doesn't surprise me that a large number of systems are still not fully patched. We're now dealing with the human side of patching – the manual updates, getting new certificates and revoking the old ones.
“It's a laborious process and, even though it should be done urgently, IT teams have enough on their plate as it is. But the widespread awareness of the issue does mean that the vast majority of systems will get patched.”
Rob Graham pointed out in his blog that his original internet scan was based on 28 million systems supporting SSL and his latest survey found only 22 million. Graham suspects some servers have begun blocking his Heartbleed-detecting scans.
The Heartbleed flaw (CVE-2014-0160) was first revealed in early April and quickly led to targeted hacking attacks. It is a bug in the OpenSSL library, quickly fixed in OpenSSL version 1.0.1g, which allows hackers to steal encryption keys and so access apparently encoded data passing through websites or other affected devices – anything from user passwords or bank details to confidential company documents.