Heartbleed Takes Aim at VPNs, Other Risks Persist
NEWS ANALYSIS: Many leading Websites are now secure, but risks remain and companies should update and secure all their Web-facing technologies, including VPNs.The Heartbleed security flaw remains a risk to enterprises, two weeks after first being publicly disclosed. The Heartbleed bug is technically a security vulnerability in the open-source OpenSSL cryptographic library, which is widely used on Web servers and embedded devices. The OpenSSL project provided a patch for the Heartbleed flaw on April 7, and organizations around the world have scrambled since then to implement the patch. According to an analysis by security firm Sucuri, as of April 17, 2 percent, or 20,320 of the top 1 million sites ranked by Amazon's Alexa service were still vulnerable to the Heartbleed vulnerability. While Web servers remain a key target for the Heartbleed vulnerability, they aren't the only Internet technology that is at risk. Virtual private network (VPN) technology today is often deployed in the form of SSL-VPN, which has now been identified as also being under attack from Heartbleed.Security research group Mandiant, which became part of FireEye by way of a $1 billion acquisition earlier this year, is reporting that one of its clients was attacked by way of Heartbleed on a vulnerable SSL-VPN.
"Beginning on April 8, an attacker leveraged the Heartbleed vulnerability against a VPN appliance and hijacked multiple active user sessions," Mandiant security researchers wrote in a blog post. "Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS Web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users."