Heartbleed Bug: What Risks Remain?A Progress Report on Ongoing Mitigation Efforts
In the more than a month since news of the OpenSSL vulnerability known as the Heartbleed bug first surfaced, many organizations have made progress in remediating the risks. Yet the vulnerability still exists on many systems.
"Since the announcement, we're seeing Heartbleed vulnerabilities in the wild on the vast majority of penetration tests we do for clients that run a platform that could be susceptible to this bug," says Mike Weber, vice president at Coalfire Labs, a forensic investigations firm.
Although many of the risks associated with Heartbleed have been mitigated, some gaps still need to be addressed, especially patching internal systems that are using vulnerable OpenSSL versions, security experts say.
In dealing with the risks, organizations are continuing to monitor their networks, patch systems and conduct risk analyses to identify unforeseen issues, such as devices that are more difficult to patch or require consumer action to update.
"Due to the nature of the Heartbleed bug, it's difficult for people to know if they've been compromised or not," says David Chartier, CEO of Codenomicon, the Finland-based security vendor that discovered the bug, along with a researcher at Google Security.
Heartbleed exposes a flaw in OpenSSL, a cryptographic tool that provides communication security and privacy over the Internet for applications such as e-mail, instant messaging and some VPNs (see Heartbleed Bug: What You Need to Know).
"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software," a statement from Codenomicon notes.
While great strides have been made to eliminate the bug from Internet-facing systems, internal systems are still vulnerable, Weber says.
"That is, there are internal systems that are using the vulnerable OpenSSL libraries to secure communication," he says. "Enterprises are justifying the presence of this vulnerability through 'exposure' - since the internal systems can't be accessed by the Internet at large, the systems are at much lower risk of attack. While that may be mathematically true, those that can do the most damage - the insider threat - are able to exploit these systems for a much more targeted and damaging attack."
Additionally, if an unpatched internal system establishes an SSL connection outbound to a server, the server could initiate the heartbeat request and subsequently exploit it, Weber explains. "This could be the result of connecting to a compromised server, or if that server were to be impersonated via man-in-the-middle attacks."
Many organizations reacted very quickly to address the Heartbleed bug in their environments, says Satnam Narang, researcher at Symantec Security Response. "[Still], we have seen reports stating that out of 500,000 vulnerable sites, [only] 375,000 have been patched," he adds.
The Heartbleed bug is still a significant issue, says David Rockvam of Entrust, a digital certificate provider. He cites a report from Internet research firm Netcraft that identified remaining gaps.
"Although many secure websites reacted promptly to the Heartbleed bug by patching OpenSSL, replacing their SSL certificates and revoking the old certificates, some have made the critical mistake of reusing the potentially compromised private key in the new certificate," according to the Netcraft report.
"Since the Heartbleed bug was announced on April 7, more than 30,000 affected certificates have been revoked and reissued without changing the private key," Netcraft says.
According to the research firm, only 14 percent of affected websites completed all three necessary steps after patching the Heartbleed bug: replacing the SSL certificates, revoking the old ones and making sure to use a different private key.
Another concern is that a new vulnerability like Heartbleed could emerge, says Christopher Paidhrin, security administration manager at PeaceHealth, a healthcare provider in the Pacific Northwest. "The pace of code development and feature enhancement is stressing the security testing and code validation processes," he says. "The complexity of core Web services is daunting. The frequency of announced exploits is a measure of how big a challenge we face."
Organizations need to thoroughly test their critical infrastructure for bugs similar to Heartbleed, Codenomicon's Chartier stresses. "We're trying to get more organizations motivated to do that," he says. "If they don't do that, it's just a matter of time before something else is found and exploited and they may suffer."
Responding to Heartbleed
After learning of Heartbleed, the U.S. Department of Homeland Security worked to create a number of compromise detection signatures for various government systems, Larry Zelvin, director of the National Cybersecurity and Communications Integration Center at the U.S. Department of Homeland Security, said at a May 21 hearing of the House Subcommittee on Counterterrorism and Intelligence and Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies.
"DHS worked with civilian agencies to scan their .gov websites and networks for Heartbleed vulnerabilities, and provided technical assistance for issues of concern identified through this process," he said. "The NCCIC and its components also began a highly active outreach to cyber researchers, critical infrastructure owners, operators and vendors ... and international partners to discuss measures to mitigate the vulnerability and determine if there had been active exploits."
Zelvin noted, however, that while there was rapid and coordinated federal government response to the Heartbleed bug, "the lack of clear and updated laws reflecting the roles and responsibilities of civilian network security caused unnecessary delays in the incident response."
Meanwhile, Christopher Glyer, technical director at Mandiant, a cybersecurity firm, says the vast majority of his company's clients have patched most of their Internet-facing and internal systems. "The larger risk going forward would be on devices that are more difficult to patch or require a consumer to take an action," he says.
And the National Association of Federal Credit Unions, which educated its members about the vulnerability, has "heard very little impact from our members other than they were working with their IT divisions to work through the fixes," says Anthony Demangone, executive vice president and chief operating officer.
A key step in mitigating the risk, Demangone says, is to conduct a basic risk analysis of operating systems. "See if the Heartbleed vulnerability is found through the various IT systems and, for that matter, your vendors you are utilizing, and then close the loop as quickly as possible," he says. "It's classic risk management."
Glyer of Mandiant says organizations should "prioritize patching devices that would allow remote access into the organization. Most organizations we are working with are actively reaching out to their vendors to determine if their software is vulnerable, and are running vulnerability scanners on internal and Internet-facing systems to help identify what needs to be fixed."
The single most important mitigation step organizations need to do is revoke, reissue and re-install certificates, Entrust's Rockvam says. Additionally, he recommends organizations upgrade systems to a software version that uses OpenSSL 1.0.1g or higher; renew SSL certificates with a new private key; ask users to change their passwords; and notify users if content may have been compromised.
Paidhrin of PeaceHealth says organizations need to complete an exposure assessment and validate that remediations were exhaustive. "If [you're] unsure of your security status, contact one of your major security vendors and ask for guidance and a review of your action plan and progress."