On April 7, 2014, CVE-2014-0160, better known as Heartbleed, was publicly disclosed by the OpenSSL project, affecting millions of users and devices around the world. Today, two years to the day it was first reported, the vulnerability remains a risk, and the trend of branded vulnerabilities it created continues to have an impact.
OpenSSL is a widely deployed open-source technology used on endpoints, mobile devices and servers. The promise of OpenSSL is that it provides the Secure Sockets Layer/Transport Layer Security (SSL/TLS) cryptographic libraries necessary to secure data transport. With Heartbleed, however, the SSL/TLS could be decrypted, leaving users at risk. Heartbleed isn't just a theoretical risk; it has been used by hackers to attack government agencies, including Canada's Revenue Agency (CRA), as well the largest banks in the United States.
Although patches for Heartbleed have been available publicly for two years, the flaw is still a risk and likely still being exploited by attackers taking advantage of unpatched servers.
"There are many organizations that are still at risk because they don't know what their third-party vendors are implementing in products that they run on their network," Marcus Carey, founder and CTO of vThreat, told eWEEK. "People don't even know how many computers are connected to their networks, let alone what software is running on them."
Georgia Weidman, founder and CTO at Shevirah, noted she regularly sees Heartbleed show up on Internet-facing systems during penetration tests and vulnerability assessments, from small clients to Fortune 100 companies.
"What people don't realize is that on many servers OpenSSL is the only means of protection of very sensitive data in transit," Weidman told eWEEK. "A known issue with proofs of concept and tutorials all over the Internet for how to exploit [the flaw]—that allows attackers to turn encrypted data back into plain text—is a major issue that should not be overlooked."
Among the many vendors that Heartbleed affected is Linux vendor Red Hat. Josh Bressers, security strategist at Red Hat, commented that all versions of Red Hat Enterprise Linux, CentOS and Fedora made available very quickly a fix for Heartbleed. Additionally, he noted that Red Hat has various automated checks that can help ensure a Red Hat customer isn't vulnerable to Heartbleed or any other fixed issue.
"If there are systems still vulnerable to Heartbleed out there, I would not expect them to be Red Hat systems," Bressers told eWEEK.
Among the many issues the Heartbleed incident highlighted was a need for more collaboration, resources and attention to securing open-source code. One of the key responses to Heartbleed came from the Linux Foundation in the form of the Core Infrastructure Initiative (CII), a group dedicated to improving open-source code security. During the last two years, CII has had an impact on helping improve security at the OpenSSL project to help prevent another Heartbleed-type incident.
"OpenSSL now has a well-known and published approach for how it will appropriately inform all interested parties of security advisories," Emily Ratliff, senior director of infrastructure security at The Linux Foundation, told eWEEK. "Even trivial patches must follow the review process."
Ratliff added that some reviews are very detailed and are discussed before going to a team vote. And, she said, there also have been a lot of great governance improvements in the OpenSSL project, some of which were certainly self-motivated yet supported by the CII grants.
"The OpenSSL code is now cleaner, more organized, and the OpenSSL team has set a goal to avoid releasing security fixes on Thursday/Friday," Ratliff said.