On April 7, 2014, CVE-2014-0160, better known as Heartbleed, was publicly disclosed by the OpenSSL project, affecting millions of users and devices around the world. Today, two years to the day it was first reported, the vulnerability remains a risk, and the trend of branded vulnerabilities it created continues to have an impact.
OpenSSL is a widely deployed open-source technology used on endpoints, mobile devices and servers. The promise of OpenSSL is that it provides the Secure Sockets Layer/Transport Layer Security (SSL/TLS) cryptographic libraries necessary to secure data transport. With Heartbleed, however, the SSL/TLS could be decrypted, leaving users at risk. Heartbleed isn’t just a theoretical risk; it has been used by hackers to attack government agencies, including Canada’s Revenue Agency (CRA), as well the largest banks in the United States.
Although patches for Heartbleed have been available publicly for two years, the flaw is still a risk and likely still being exploited by attackers taking advantage of unpatched servers.
“There are many organizations that are still at risk because they don’t know what their third-party vendors are implementing in products that they run on their network,” Marcus Carey, founder and CTO of vThreat, told eWEEK. “People don’t even know how many computers are connected to their networks, let alone what software is running on them.”
Georgia Weidman, founder and CTO at Shevirah, noted she regularly sees Heartbleed show up on Internet-facing systems during penetration tests and vulnerability assessments, from small clients to Fortune 100 companies.
“What people don’t realize is that on many servers OpenSSL is the only means of protection of very sensitive data in transit,” Weidman told eWEEK. “A known issue with proofs of concept and tutorials all over the Internet for how to exploit [the flaw]—that allows attackers to turn encrypted data back into plain text—is a major issue that should not be overlooked.”
Among the many vendors that Heartbleed affected is Linux vendor Red Hat. Josh Bressers, security strategist at Red Hat, commented that all versions of Red Hat Enterprise Linux, CentOS and Fedora made available very quickly a fix for Heartbleed. Additionally, he noted that Red Hat has various automated checks that can help ensure a Red Hat customer isn’t vulnerable to Heartbleed or any other fixed issue.
“If there are systems still vulnerable to Heartbleed out there, I would not expect them to be Red Hat systems,” Bressers told eWEEK.
Among the many issues the Heartbleed incident highlighted was a need for more collaboration, resources and attention to securing open-source code. One of the key responses to Heartbleed came from the Linux Foundation in the form of the Core Infrastructure Initiative (CII), a group dedicated to improving open-source code security. During the last two years, CII has had an impact on helping improve security at the OpenSSL project to help prevent another Heartbleed-type incident.
“OpenSSL now has a well-known and published approach for how it will appropriately inform all interested parties of security advisories,” Emily Ratliff, senior director of infrastructure security at The Linux Foundation, told eWEEK. “Even trivial patches must follow the review process.”
Ratliff added that some reviews are very detailed and are discussed before going to a team vote. And, she said, there also have been a lot of great governance improvements in the OpenSSL project, some of which were certainly self-motivated yet supported by the CII grants.
“The OpenSSL code is now cleaner, more organized, and the OpenSSL team has set a goal to avoid releasing security fixes on Thursday/Friday,” Ratliff said.
Heartbleed Remains a Risk 2 Years After It Was Reported
Additionally, there are coding style guidelines, and the OpenSSL project is receiving more fixes via GitHub. Ratliff noted that the OpenSSL team has implemented continuous integration and has several cross-compiles running on a build farm provided by Cisco. CII has also funded an external audit of the OpenSSL code base to further validate security.
“While not credited to CII, OpenSSL has also gained additional scrutiny from ethical hackers at Google who are now also evaluating the code—sort of an independent code audit,” Ratliff said. “This level of review has actually increased the flow of security vulnerabilities in the short term; however, in the long term, these activities are very positive for the project.”
Red Hat’s Bressers agreed with the notion that OpenSSL is improving and the CII is having a positive impact. He noted that Red Hat supports the CII’s mission, as it aligns directly with Red Hat’s in bolstering support for open-source innovation at the community level.
“Looking just at OpenSSL, the number of total bugs closed has increased while the number of open bugs has sharply decreased,” Bressers said. “And less bugs, particularly potentially dangerous bugs like Heartbleed, are always a positive for Red Hat and our customer base.”
The Heartbleed vulnerability, in many respects, was a watershed moment for the security industry. Heartbleed, Ratliff said, uncovered a major gap in how we protect and secure the technology we use every day.
“It showed us there’s a major need to build a pre-emptive, cohesive system absent of any one company’s individual priorities to safeguard the Internet today and into the future,” Ratliff said. “What’s needed is quantitative and qualitative analysis of security of software, both closed and open, to safeguard corporations and individuals.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.