One year after the discovery of a critical vulnerability in OpenSSL known as “Heartbleed,” the vast majority of the world’s largest corporations have yet to fully remediate the vulnerability.
Venafi Labs evaluated the 1,642 Global 2000 organizations with public-facing systems vulnerable to Heartbleed. In all, the company identified 580,000 hosts belonging to those organizations that had not been completely remediated as of April 2015. That means 74% of Global 2000 with public-facing systems that were vulnerable to Heartbleed are still vulnerable, according to the report.
And the pace of remediation appears to have slowed to a crawl. Venafi said that the population of fully remediated systems has ticked up just 2% in the last 8 months, leaving almost 3 in every 4 of these companies open to breach.
Those numbers bear some explaining. Most companies running vulnerable versions of the OpenSSL software updated that in the days and weeks following the disclosure of Heartbleed.
However, fully remediating the vulnerability required companies to revoke any SSL certificates issued by vulnerable versions of the software and replace the private key used to sign certificates. Those additional steps prevent malicious actors who were able to compromise OpenSSL installations prior to discovery of the Heartbleed vulnerability from being able to use stolen keys to spoof the vulnerable system and carry out undetectable “man in the middle” attacks.
At least one major breach has been linked to an exploit of Heartbleed: Community Health Systems in August, 2014. There is also evidence that malicious actors were exploiting the vulnerability as early as 2013.
Patching the vulnerable OpenSSL software prevents new attacks, it doesn’t end the threat posed by attacks that happened prior to the patch. As with the compromise of other IT assets, administrators at companies that were exposed to OpenSSL should assume that all certificates and private keys on affected systems were compromised.
However, that has not been the reaction. Instead, many organizations have either patched their software but kept existing certificates and private keys alone. Or, they have chosen to revoke certificates but issue replacement signing certificates using the existing private keys – an empty maneuver if the private keys have been compromised in an earlier Heartbleed attack, Venafi noted.
The Venafi survey only addresses the security of public facing IT assets. It does not speak to the security of OpenSSL installations deployed on corporations’ internal network, where they are not visible to outside scans. For many corporations, this is a much larger population of systems. Large enterprises might have thousands -or tens of thousands of servers deployed internally, each with its own set of certificates and private keys.
This isn’t the first report to warn about Heartbleed’s long tail. A University of Maryland study in 2014 analyzed the Alexa Top 1 Million domains over a period of six months and found that over 73% of vulnerable certificates had yet to be reissued and over 87% had yet to be revoked three weeks after Heartbleed was disclosed.