On April 7, the Heartbleed security vulnerability that exposed hundreds of thousands of servers and devices to the risk of exploitation was first publicly disclosed. In the months since, organizations have been able to only partially fix the problem, according to a new study from Venafi.
The Heartbleed flaw is technically a security vulnerability in the open-source OpenSSL cryptographic library. The Heartbeat function within OpenSSL, which is supposed to help monitor status, was found to be vulnerable, which is what the Heartbleed vulnerability is all about.
When the Heartbleed vulnerability was first reported, the OpenSSL Project issued a patched update to protect against the flaw. A month after Heartbleed was first disclosed, security researcher Robert Graham scanned the Internet and found 318,239 systems still to be at risk.
According to Venafi’s new report, 99 percent of the organizations it scanned have deployed the OpenSSL patch. Simply patching the Heartbleed vulnerability, however, is not sufficient, according to Kevin Bocek, vice president of Security Strategy and Threat Intelligence at Venafi.
“It is required to also replace the private key, reissue the certificate and revoke the old certificate,” Bocek told eWEEK. “The partial remediation category consists of 449,000 of 550,000 scanned hosts that have been patched against Heartbleed (97 percent of the sample size).”
Bocek added that those partial remediation servers either failed to replace the private key or failed to revoke the old certificate.
“Only 15,000 hosts total, or 3 percent among all Global 2000 organizations scanned, have been fully remediated from Heartbleed by both deploying the OpenSSL patch and replacing keys and certificates,” he said.
Venafi’s numbers on certificate reissue stand in contrast with other sources of public data. In May, Netcraft published a study that indicated that 43 percent of sites it scanned had in fact reissued their certificates.
Venafi’s finding that 97 percent of sites are still at risk from Heartbleed is also being contested by Dmitri Alperovitch, CTO and co-founder at Crowdstrike.
“They found that 97 percent of organizations have failed to replace their SSL certificates, which is certainly recommended, but doesn’t necessarily mean they are still vulnerable to Heartbleed,” Alperovitch told eWEEK. “It’s akin to saying that even though you’ve had heart bypass surgery to mitigate a clot in an artery, you are still in immediate danger of having a heart attack because you haven’t stopped eating fatty and unhealthy foods.”
Bocek commented that some IT security leaders may be told by incident response teams that a full-scale reissue and revoke is not necessary, while others may be told that it’s too complicated or time consuming.
“Do CISOs [chief information security officers] and security teams believe that usernames and passwords should not be changed? No. Therefore, they should not, and cannot, live with a situation where all keys and certificates are not replaced,” he said.
Properly enabling and configuring SSL is a challenge, even looking beyond the Heartbleed vulnerability.
According to statistics for July 3 from the SSL Pulse project that monitors SSL across the Internet, only 25.1 percent of scanned SSL sites were considered to be secure. SSL Pulse’s data currently indicates that only 0.5 percent of the sites it scanned are still vulnerable to Heartbleed.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.