As you might expect, in the wake of the recent Heartbleed vulnerability, system administrators are scrambling to patch their systems. Unfortunately, it appears that in their haste to prevent exploitation, a number of sysadmins are upgrading versions of OpenSSL that are not vulnerable to versions that are vulnerable. Instead of closing the vulnerability, they’re opening previously healthy systems to exploitation.
That’s the major revelation from a series of scans carried out by security researcher Yngve Nysæter Pettersen. Using a tool called TLS Prober, Pettersen scanned about half a million servers, testing their vulnerability to Heartbleed. The six scans, the first of which was carried out on April 11, show a history of the reaction to Heartbleed. As of the most recent scan, 2.3 percent of servers are vulnerable, down from 5.36 percent for the first scan. Somewhat worryingly, the pace of patching seems to have slowed considerably, with only a 0.44 percent reduction over the last two weeks.
The most recent scan indicates that 20 percent of the servers currently vulnerable were not vulnerable at the time of previous scans, indicating that admins have upgraded their systems into an exploitable state. It is estimated that the cost of fixing those systems that were unnecessarily made vulnerable will be upwards of $12 million. System administrators who intend to upgrade their OpenSSL version need to make themselves aware which versions of OpenSSL are vulnerable and which are not. This blog post contains information about the non-vulnerable versions of OpenSSL.
Mistaken upgrades are, however, a statistical blip compared to services which have not carried out the essential post-patch task of revoking and updating SSL certificates. To be secure, OpenSSL users should assume that Heartbleed exposed their servers’ private keys. This should be the default assumption, but it’s even more crucial for services that failed to properly patch their servers immediately following Heartbleed’s disclosure. Attempts at exploitation rose sharply after disclosure, so vulnerable servers faced a much higher chance of having private keys exposed.
Patterson said, “Given that any server that was patched after April 7 has to be assumed to have had its certificate private key compromised (because criminals may have used Heartbleed to compromise their server), this indicates a serious problem for the users of those sites.”
Petterson estimated that two-thirds of servers that have been patched are still using the old certificates.
Heartbleed was an enormous blow to online security, but it appears that the majority of online service providers reacted in a timely fashion, patching their systems very quickly after initial disclosure. But many have stopped short of properly mitigating risk by revoking and replacing their certificates. Even though the theoretical risk of exploitation is low, especially if servers were quickly patched, it’s the responsibility of companies offering online servers to make sure their users can communicate securely, and that means assuming that private keys have leaked.
Photo credits: Free Grunge Textures