More Than A Half-Million Servers Exposed To Heartbleed Flaw

  /     /     /  
Publicated : 22/11/2024   Category : security


More Than A Half-Million Servers Exposed To Heartbleed Flaw


What the newly exposed SSL/TLS threat really means for enterprises and end-users.



The
newly exposed Heartbleed bug
plaguing some 17 percent of SSL-secured websites as well as various VPN products has caused a massive case of Internet heartburn over the past 48 hours as companies rushed to confirm their exposure and lock down their SSL/TLS software. But just how bad is it?
Errata Security CEO Robert Graham scanned the Net for machines vulnerable to the implementation flaw in the so-called Heartbeat function of TLS, and discovered some 600,000 affected out of 28 million SSL machines. He estimates that some one-third of SSL machines had been patched with the update to the buggy OpenSSL library.
Netcraft
, meanwhile, says the buggy Heartbeat extension is enabled on 17.5 percent of SSL sites, which include close to a half-million digital certificates at risk of theft and spoofing from the attack.  
Heartbleed may be one of the biggest Internet security events since security expert Dan Kaminsky found and helped coordinate a fix for the massive Domain Name Service (DNS) caching vulnerability in 2008. Bruce Schneier
gives Heartbleed an 11 rating
on an ascending scale of 1 to 10, and security companies and experts are issuing warnings of the severity of the bug. The flaw, a two-year old implementation bug in the open-source OpenSSL, has been fixed with the new OpenSSL 1.0.1g, but experts say to assume its already been abused by nation-states or cyber criminals given the two years it wasnt publicly known.
Fixing Heartbleed isnt cheap. The estimated cost to remedy the flaw is hundreds or thousands of dollars per server or application, according to Tatu Ylonen, inventor of the SSH protocol and CEO and founder of SSH Communications Security. That adds up to more than a billion dollars in overall labor and certificate renewal costs worldwide, Ylonen says.
The bug, in Versions 1.0.1 and 1.0.2 beta, leaks the contents of the memory from the server to the client and vice versa, potentially exposing passwords and other sensitive data and the SSL servers private key. While there have been reports of Yahoo passwords exposed by the bug and massive nefarious scanning for the flaw on the Net and signs of attacks since Heartbleed was revealed late Monday, theres still debate over just how easily exploitable the bug really is.
Certainly, nation-states will have the best capability to quickly weaponize this vulnerability for large-scale exploitation, Schneier says.
Carrying out an attack using this flaw is not for script kiddies, experts say.  It would take a nation-state or organized crime organization. There are not enough skilled attackers with non-attributable networks to safely carry out large-scale collection efforts using this vulnerability, says security expert Ralph Logan, CEO of Kiku Software, a large data analytics software firm. For example, In order to collect 
mail.yahoo.com
 uid:pass pairs using this vulnerability, you would need a giant non-attributable network larger than TOR, but TOR wont work in this case because we all know that its attributable.
Joe Hacker/single actor in the .ru still has to have a non-attributable network to infiltrate and exfiltrate large amounts of data across the web.
But the bad news now that the cats out of the bag is that proofs-of-concept are out -- and some attacks are under way. Jaime Blasco, director of AlienVault Labs, says his firm has spotted scans for the flaw as well as brute-force attack attempts on some of its customers. We have seen active attacks in the past 48 hours, Blasco says.
Mozillas former director of security assurance Michael Coates, now director of product security for Shape Security and chairman of OWASP, points out that the attacker must have access to network devices along the communication path of a user and a website. In order to decrypt data exchanged between a user and a website, the attacker must have access to network devices along the communication path. This attack could most easily be launched by state actors, intelligence agencies, or criminal enterprises operating with collusion from network operators, Coates said today in a blog post.
An individual attacker could also target users on a shared WiFi hotspot with Heartbleed, he says.
As for concerns about attackers stealing a websites digital certificate via a Heartbleed attack, Erratas Graham contends that panic over private keys leaking is somewhat overblown. In most [packaged] software, this cannot happen. Thats because memory containing the private key is never freed, and hence allocated heartbleed buffers can never contain it, Graham said
in a blog post today
:
The upshot is this. What you can eavesdrop on with heartbleed hacks is dynamic stuff, stuff that was allocated only moments ago. What you probably cant get is static information. Certainly, you cant get any static information that hasnt been freed, and you probably cant get static information that was freed long ago, such as program startup. Its a great way to steal passwords from recent logins, but its unlikely to give private keys. Certainly, there is some poorly written software that when it validates the SSL connection, copies the private key into a buffer, uses it, then frees the buffer. Thus, there certainly exists some software that reliably leaks the private key, its just that on most software its not possible.
Intranet Heartbleed
Not all SSL servers are public Internet-facing, of course: Also at risk are internal intranet SSL servers that run internal corporate applications. And VPN software such as the open-source OpenVPN software was exposed but has since been patched.
You need to change all certificates and keys, says Kevin Bocek, vice president, security strategy and threat intelligence, at Venafi. Whats inside the firewall is a lot more lucrative to an attacker, he says.
If Im an advanced attacker, this is just a heyday. Now I can easily punch a server. I can get the keys and certs that allow me to [move] internally, which before would have taken a lot more effort. [Heartbleed] is also an internal concern.
Enterprises should confirm whether their servers and VPN products are vulnerable if they have not done so already, and if they are, update them and obtain new digital certificates to be safe. Once theyve cleaned that up, then they should institute end-user password changes, experts say.
End users should change their passwords on websites that were vulnerable, but not until after theyve been patched. This particular vulnerability still exists in many locations, so changing your password may just mean that the new password is vulnerable, says Matt Willems, an engineer for LogRhythm Labs. The best advice is to follow normal best-practices for online identity information. Change your passwords regularly, and if an online service says your information may be at risk, follow their directions.
Meanwhile, SANS Internet Storm Center is tracking software vendors that have updated their products
here
. And several free online scanning tools are available for testing SSL servers for the flaw, such as
this
and
this
.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
More Than A Half-Million Servers Exposed To Heartbleed Flaw