Endpoint Security , Governance & Risk Management , Next-Generation Technologies & Secure Development
Heartbleed Lingers: Nearly 180,000 Servers Still VulnerableShodan Scans Show How Bug Isn't Burning Out - Just Fading Away
Nearly three years after it was discovered, Heartbleed lingers on.
See Also: Attack Surface Management: Improve Your Attack Surface Visibility
A report from Shodan, a search engine for internet-connected devices, says that a Jan. 22 search identified 199,594 internet-connected devices that still remain vulnerable to the Heartbleed bug.
"Legacy security issues go on and on and on and on."
Heartbleed is the nickname for a vulnerability in OpenSSL, an open-source implementation of the SSL and TLS protocols that's used to secure data sent between clients and servers. The bug was jointly discovered by security firm Codenomicon and Google and publicly detailed in 2014, when related patches and fixes released.
Since the bug was first publicized on April 7, 2014, multiple researchers - including Robert David Graham, who heads research firm Errata Security - have been scanning the internet to count how many internet-connected servers that respond with a valid SSL connection appear to be vulnerable to Heartbleed. Here's what ongoing scans have found:
- April 2014: As of April 9, 2014, Graham reported finding an estimated 600,000 Heartbleed-vulnerable servers connected to the internet.
- May 2014: One month later, Graham reported finding about 320,000 servers that were still vulnerable to Heartbleed.
- January 2015: Graham's scans found 250,000 servers and other systems that connect to the internet that were still vulnerable to Heartbleed.
- May 2016: Security researcher Billy Rios told me that he'd found about 200,000 vulnerable servers (see Heartbleed Update: America the Vulnerable).
- Jan. 30, 2017: The most recent Shodan search reported that the number of Heartbleed-vulnerable devices had dropped to about 180,000, meaning that about 20,000 were apparently remediated after the Jan. 22 Shodan report came out.
The story of how Heartbleed is - or isn't - going away is easy to see: After a flurry of emergency fixes following the April 2014 Heartbleed heads-up, related patching efforts appear to have died down.
The Long Tail Lingers
The fact that old bugs never burn out - they just fade away - isn't news to security researchers. According to market researcher NetMarketShare, for example, 9 percent of all desktops still run the Windows XP operating system, which Microsoft stopped supporting in 2014 (see London Police Busted For Windows XP Possession).
In the case of Heartbleed, no doubt attrition - old servers being replaced - has led to a partial decline in vulnerabilities. But a lot of the Heartbleed-vulnerable servers appear to be hosted at Amazon Web Services. I reached out to AWS to see if they could explain why, but haven't heard back yet.
The big-picture results, however, are a reminder that vulnerable or outdated - and thus increasingly hard to secure systems - don't die out overnight, but rather fade away asymptotically, their numbers slowly arcing toward zero but never quite reaching it.
Or as Alan Woodward, a professor of computer science at the University of Surrey in England, puts it: "Legacy security issues go on and on and on and on."
After 3 years we're still seeing ~200,000 vulnerable to Heartbleed https://t.co/waIeezTu4Z Legacy security issues go on and on and on and on— Alan Woodward (@ProfWoodward) January 27, 2017