It’s more than a month since we all were warned of the critical OpenSSL Heartbleed vulnerability, but that doesn't mean it disappeared. The critical bug compromised many popular websites and after been discovered the problem was solved. But is that so?
No, not at all! A recent finding from the security researcher Robert David Graham claims that there are still more than 300,000 servers apparently remain vulnerable to the most critical OpenSSL bug, Heartbleed, which is admittedly down in numbers from the previous which resulted in over 600,000 systems a month ago.
Graham announced on the Errata Security blog that he arrived at the number through a recently done global internet scan (or at least the important bits: port 443 of IPv4 addresses), which reveals that exactly 318,239 systems are still vulnerable to the OpenSSL Heartbleed bug and over 1.5 million servers still support the vulnerable "heartbeat" feature of OpenSSL that allowed the critical bug.
“The numbers are a little strange. Last month, I found 28-million systems supporting SSL, but this month I found only 22-million. I suspect the reason is that this time, people detected my Heartbleed "attacks" and automatically firewalled me before the scan completed. Or, another problem is that I may have more traffic congestion at my ISP, which would reduce numbers. (I really need to do a better job detecting that),” Graham wrote in the blog post.
Heartbleed is a critical bug in the popular OpenSSL cryptographic software library that actually resides in the OpenSSL's implementation of the TLS (transport layer security protocols) and DTLS (Datagram TLS) heartbeat extension (RFC6520).
The count may be even larger as these mentioned number counts are only the confirmed cases. Graham may have escaped other systems either because of spam blocking or unorthodox OpenSSL setups. But it’s really shocking that after availability of Heartbleed fixes, this number has come up.
“Last month, I found 1-million systems supporting the "heartbeat" feature (with one third patched). This time, I found 1.5-million systems supporting the "heartbeat" feature, with all but the 300k patched. This implies to me that the first response to the bug was to disable heartbeats, then later when people correctly patched the software, heartbeats were re-enabled. Note that only OpenSSL supports heartbeats, meaning that the vast majority of SSL-supporting servers are based on software other than OpenSSL,” he wrote.
Now that the bug has been openly revealed and known to everybody, anyone can simply use it to carry out attacks against the still affected systems and 300,000 is really a troubling number. One can imagine the danger and damages caused by the bug if exploited.
Heartbleed is the encryption flaw that left large number of cryptographic keys and private data such as usernames, passwords, and credit card numbers, from the most important sites and services on the Internet open for hackers, forcing some security researchers to warn internet users against using even their everyday sites for the next few days until the problem is fully solved.
A large majority of services including many popular and major services patched their servers almost immediately, but this new global internet scan suggests that cyber criminals could still do plenty of damages against the unpopular and less technically efficient services as well. Once attackers identified the vulnerable server, they could exploit the Heartbleed vulnerability to steal sensitive data and private keys, eavesdrop on passwords in transit, or hijack a session entirely.
Software vulnerabilities may come and go, but this bug is more critical and probably the biggest Internet vulnerability in recent history as it left the contents of a server's memory, where the most sensitive data is stored exposed to the cyber attackers. This new scan was done only on port 443 and Graham said that he will try to scan for other well-known SSL ports, like SMTP and will post the results. Stay Tuned!