Why Your Heartbleed Patch Isn’t Enough

Jack Rosenberger Avatar

Updated on:

By Jack Rosenberger

Four months after the Heartbleed bug was publicly disclosed, 97 percent of the external servers operated by Global 2000 companies remain vulnerable to the OpenSSL flaw, according to a new report by Venafi Labs, a security firm. While most of the servers have been patched to close the Heartbleed bug, fully remediating the vulnerability is a multi-step process, with patching the OpenSSL vulnerability being just the first step.

To fully remediate the Heartbleed bug, organizations need to apply the OpenSSL patch, replace the private key, re-issue the certificate, and revoke the old certificate, according to Venafi and multiple security researchers. In addition, organizations need to validate the remediation to ensure the new key and certificates are in place.

Organizations that fail to fully remediate the Heartbleed bug are vulnerable to Heartbleed-based attacks, potentially enabling intelligence agencies, cybercriminals and other adversaries to steal their passwords and other sensitive data and to launch phishing campaigns against them and their customers.

A Lack of Due Diligence

For its just-released “Venafi Labs Q3 Heartbleed Threat Research Analysis” report, the security firm analyzed the Websites of 1,639 Global 2000 organizations earlier this year to identify SSL/TLS vulnerabilities.

The positive news, according to Venafi, is that 387 Global 2000 organizations have fully remediated Heartbleed.

The decidedly less positive news is that of the 460,000 machines it scanned, Venafi found that 449,000 of them—or 97 percent of the sample size—had conducted only partial remediation. According to Venafi, these organizations performed “lazy” remediation by failing to replace the private key or failing to revoke the old certificate.

“Failure to replace the private key allows an attacker to decrypt any SSL traffic for the impacted [machine],” according to Venafi. “Failure to revoke the old certificate enables the attacker to use the old certificate in phishing campaigns against the organization and its customers.”

In addition, Venafi found that less than one percent of the scanned servers (i.e., fewer than 4,600 machines) were still vulnerable to the Heartbleed bug as they had yet to even patch the OpenSSL flaw, let alone take any additional security measures.

Entering Through an Open Door

Heartbleed-related exploits occurred in November 2013, according to the Electronic Frontier Foundation, six months before the OpenSSL vulnerability was discovered by Neel Mehta of Google’s security team on April 1, 2014. Security expert Bruce Schneier and others have urged organizations to assume that intelligence agencies, cybercriminals and others have launched attacks using the exposed keys and certificates during the time period the OpenSSL flaw was exposed, which was a two-year window of opportunity.

Therefore, replacing the keys and certificates is a necessity, according to Schneier, Gartner’s Erik Heidt, and other security experts.

Failure to replace the keys and certificates “leaves the door open for attackers to spoof legitimate Websites, decrypt private communications, and steal sensitive information sent over SSL,” according to the Venafi report.

If “someone walks into your house through an open door and steals your house keys, you don’t then rely on the same locks once you’ve closed the door,” Kevin Bochek, a Venafi vice president of security strategy and threat intelligence, told SecurityWeek. “Organizations must find and replace all of their keys and certificates—all of them.”

The Heartbleed bug gathered widespread international attention and notoriety when it was publicly disclosed last April. In writing about Heartbleed on his security blog, Bruce Schneier declared that on “a scale of 1 to 10, this is an 11.” Unfortunately for many Global 2000 organizations, the Heartbleed vulnerability still appears to be a major security threat.

About the Author

Jack Rosenberger is the managing editor of CIO Insight. You can follow him on Twitter via @CIOInsight. To read his previous CIO Insight article, “Are Your Virtual Servers Safe?”, click here.