Response work is not in place the Heartbleed vulnerability still exist-vulnerability warning-the black bar safety net

ID MYHACK58:62201450883
Type myhack58
Reporter 佚名
Modified 2014-07-04T00:00:00


In the high-profile Heartbleed vulnerability is exposure of more than a month after the investigation found that this serious OpenSSL vulnerability still exists in the hundreds of thousands of servers and some SSL port, this is mainly because the entire industry response to the work is not in place.

! In response to the work is not in place the Heartbleed bug is still present

The Heartbleed vulnerability back in 2 0 1 1 year 1 2 On On is implanted in the OpenSSL code until 2 0 1 4 year 4 early only to be found, the vulnerability is because there is no widely used OpenSSL encryption library in the TLS heartbeat extension processing bug check caused.

Because the Heartbleed vulnerability, stored in millions of servers and clients in-memory, sensitive data may be leaked. And, although there is no evidence that the vulnerability prior to exposure to be successfully exploited, or that, in most cases, the vulnerability is worth the attacker to use, but in the past month Heartbleed has been used in a real attack and a simulated attack.

However, although the information security industry to promote the Heartbleed dangers, the vulnerability remains widespread. Last week, Errata Security CEO Robert Graham in a blog post that he scanned the Internet for Port 4 4 3, found that more than 3 0 million the system is still vulnerable to the Heartbleed affected, although this is more than him a month ago estimate of 6 0 million units of the system is reduced by half, but this is still a huge amount of data. Graham noted that he did not cover other known SSL ports(e.g., SMTP), in addition, this month he found support SSL the system is reduced by about 6 0 0 million.

“These numbers are a little strange, last month I found 2 8 0 0 million units the system supports SSL, but this month I only see 2 2 0 0 million units of the system,”Graham said,“I doubt that, this time, people detected my Heartbleed‘attacks’, and in my scanning done before shielding me. Or, another reason could be that my ISP(Internet service provider)there may be a traffic congestion situation, resulting in this number reduction.”

It is shocking, although the companies and users are actively taking steps to mitigate Heartbleed, but this process was littered with basic errors. Last week, analysis firm NetCraft published a survey results show that only 1 4% affected by the vulnerability of the site to perform a complete three steps to alleviate this issue: replacing their SSL certificates, revoked the old certificate and using a different private key to issue new certificates.

Netcraft found that 5 to 7% of the affected site did not take any action in response to Heartbleed. An additional 2 1% of sites use the new private key re-issuance of the certificate, but did not revoke the old certificate. The last 5%Using the old private key to issue a new certificate, which is a serious error, Netcraft found that certain Government of Canada websites(including the Quebec automobile insurance Board)committed this error, even when they are affected by Heartbleed-related attacks.

“Its website one of the secure. SAAQ has. gouv. qc. the ca issue a new certificate in response to Heartbleed bug, previous vulnerabilities in the 4 on 2 9 may be revoked,”Netcraft said that“the CRL revocation status listed the reason is‘keyCompromise(key compromise)’, but the certificate authority is still allowed to use the same private key to issue new certificates. This means that the Hold is compromised certificates still simulate a new certificate.”

The Heartbleed vulnerability is not limited to theWeb server. Industrial control system computer Emergency Response Team(ICS-CERT)last week issued a Bulletin, warning of the Heartbleed vulnerability exists in the Digi International manufacturing five products, Digi International is a machine-to-machine products and services suppliers, their products and services widely used in many SCADA and ICS environments.

The Canadian mobile giant BlackBerry was forced to update its products, including its used for Android and iOS the Blackberry Messenger application, the BlackBerry Enterprise Service 10 and BlackBerry Link, with Apple, Oracle, Siemens and other suppliers, as the company has released Heartbleed-related security patches.

With ordinary users as compared to businesses and government agencies the response can be said to be fast and efficient. According to the identity theft services provider LifeLock company of 2 0 0 0 name of U.S. adults online survey in the heard of the Heartbleed of the respondents, nearly half of the people haven't change their password. When asked why, 4 4% of respondents said that they simply don't care about this loophole to bring security risks, in addition to 1 2% think changing the password is the“big project”.

Although many of the largest Technology Company the recent commitment of funding millions to help secure OpenSSL and other important open source projects protect against the next Heartbleed, but currently this vulnerability is apparently still not under control. This week at the Carnegie Mellon Software Engineering Institute CERT Q & A session, the staff of Jason McCormick suggested by the vulnerability of businesses to upgrade to the latest OpenSSL version, and a thorough risk assessment to discover the extent of the problem is.

“The biggest problem is, the next how to do it. For this problem, and there is no one size fits all solution, companies will need according to their own risk tolerance and cost to make a decision,”McCormick said,“all enterprises should as soon as possible for the vulnerable to Heartbleed affects networking system to re-publish the certificate. The private key material(can be used to decrypt captured data or simulation site)of the potential leak to make this work becomes particularly important.”