By Bill Harshbarger, CSC Cybersecurity
Recent research announced by Venafi has found that 74 percent of the Global 2000 organizations surveyed have not remediated the Heartbleed OpenSSL vulnerability CVE-2014-0160 on their external facing systems in the year since it was first disclosed.
While this is a claimed improvement from the initial 97 percent of external servers in the Global 2000, it is still a shockingly high number at first glance, considering what Heartbleed can divulge: namely anything in the memory buffer, randomly, 64kb at a time. This is more than enough for passwords, private keys, PII, PHI, etc.
As reliable exploits were almost immediately released, security expert Bruce Schneier described the impact of Heartbleed, saying, “‘Catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.”
An organization may have several reasons why it may or may not choose to prioritize a remediation, or miss vulnerable systems, but these decisions or omissions ultimately come down to a few factors, including risk, compensating technologies (perhaps firewalls or IPS are seen as an effective solution?) or an organization’s (in)ability to inventory systems. Additionally Heartbleed can affect a much wider swath of services than just Web and cloud services.
Regarding risk, Internet-facing Web servers with vulnerable OpenSSL are undoubtedly a primary focus for Heartbleed remediation; however, OpenSSL can be applied to many more services than just http. Mail, for instance, also can use OpenSSL for secure transport functionality and therefore could be vulnerable.
Attackers and defenders alike heavily scrutinize Internet-facing systems, which makes the 74 percent number that much more shocking.
At this point, if an organization has not remediated Heartbleed, it can assume that massive amounts of data have leaked from its system.
Internally, the risk is somewhat lower, however insider attacks are prevalent and less frequently detected as organizations often prioritize defenses at network borders and not at their cores.
Security technologies, such as IPS and firewalls, may also claim to effectively defend against Heartbleed, but the question often becomes: Is the firewall or IPS itself vulnerable to Heartbleed?
Devices such as VPN endpoints, load balancers, Web application firewalls, application delivery controllers, proxies or other various devices and appliances regularly contain vulnerabilities. Additionally, some mobile devices are vulnerable based on reports that Android 4.1.1 contained OpenSSL 1.0.1c with Heartbeats enabled.
Unfortunately, organizations frequently give these devices less priority since an administrator may have to wait on a vendor to release a remediation with instructions.
Another specific challenge with fixing the vulnerabilities Heartbleed has created is the necessity of re-issuing certificates, public/private key pairs, and forcing users of these services to reset their passwords. Organizations should consider that each of these components have been compromised at this point.
Examples like this illustrates that Heartbleed remediation isn’t a simple patch-and-fix solution, but a component in a complex interdependency that affects far more than just a single service listening on a port.
Additionally, many organizations see cryptographic services as a sort of fire-and-forget operation, meaning that once it’s in place, it does not need to be monitored.
Speaking as a penetration tester, it is very common to still see FREAK, CRIME and POODLE attacks and the cryptographic flaws that have made RC4 and SSL 2 and 3 obsolete still on production systems, although less commonly on Internet-facing systems. Encryption technologies are far from something that can be set up and forgotten about.
Maintaining the lock icon in the browser is easy — ensuring it’s working correctly is a much more demanding task.
Finally, establishing a baseline of software and hardware inventory can significantly challenge organizations. However, they have to build solid inventories. If an administrator can’t learn of a new vulnerability and immediately cross-reference that service with all the known systems in the organization, then omissions will occur.
Ask your local IT person how many times they have discovered an ancient system running in some dusty corner. They realize what a problem inventory control is and its effect on being able to patch and remediate.
Organizations should implement processes that can help remediate Heartbleed, but also position the IT departments to be able to better respond to future vulnerabilities. To identify and remediate Heartbleed from their systems, organizations can take the following steps:
- Implement hardware/software inventory
- Once inventoried, enumerate the numerous versions of OpenSSL that may or may not be affected, along with other dependencies such as enabling the Heartbeat extension, which 1.0.1 enabled by default
- Alternately employ a vulnerability assessment to perform a targeted Heartbleed network enumeration scan
- Once vulnerabilities are identified, apply appropriate patches or pressure vendors to release applicable patches
- Apply post-patch remediation, including reissuing certificates, re-generating public/private key pairs, and having users reset passwords.
Bill Harshbarger, a CSC Cybersecurity Computer and Network Security senior penetration tester, performs penetration testing and vulnerability assessments across a spectrum of technologies.