Thousands of UK sites haven’t patched serious Heartbleed SSL bug
New figures show vast numbers of websites are still vulnerable to the venerable Heartbleed bug
An enormous number of sites - nearly 200,000 - across the globe have not yet patched the severe and well-documented Heartbleed vulnerability in OpenSSL.
According to the Shodan report 2017 the UK alone has some 6,491 vulnerable systems and servers still live, although the UK is far from the worst offender at number seven in the table, with the US romping away with 42,032 systems still vulnerable, followed by South Korea with 15,380, China with 14,116, Germany with 14,072 and France with 8,702.
Heartbleed was reported to the OpenSSL developers on 1 April 2014, and publicly disclosed on 7 April 2014 - a fix was released the same day. The flaw in the widely-used open-source OpenSSL cryptography library caused considerable concern at the time, due to the potential to read the memory of any systems protected by vulnerable versions. If you’re not sure if your business has patched it yet, use this free SSL security test to find out for sure. Out of the 100 point scoring system, vulnerability to Heartbleed is a minus 70 points, the most serious single vulnerability.
Ilia Kolochenko, High-Tech Bridge CEO said: “Taking into consideration high severity and big age of the vulnerability, I think unpatched systems are mainly represented by various network devices and forgotten servers. Such shadow systems represent a huge risk for companies, as nobody is aware of their existence and nobody cares to keep them secure. Attackers are always looking for an easy way to get in, and a forgotten device in external IT perimeter of a company can be a great gift them. Cybercriminals are looking for such systems to compromise them and turn into DDoS or spam zombies. The situation is aggravated with embedded IoT devices – that are often abandoned with a set of critical flaws exploitable from the Internet that nobody bothers to patch. Comprehensive inventory of digital assets and continuous security monitoring are vital to keep corporate infrastructure secure and avoid such dangerous situations.”
Of course, it is likely that many organisations will simply not be aware that they are running software that uses an outdated version of the OpenSSL library, which must account for some of these figures - in the last 12 months, 58.7 per cent of web servers tested on High-Tech Bridge’s free SSL test were not PCI DSS compliant:
The Shodan report found that the organisations hosting the most vulnerable systems include South Korea's SK Broadband, Amazon, Verizon and Comcast. Approximately 75,000 of the vulnerable connected systems are using expired SSL certificates and running ageing versions of Linux. Unfortunately, the report uncovers extremely slow progress in patching the flaw among these most egregious offenders - the same report in June 2014 just two months after disclosure found 300,000 systems were vulnerable, so it seems only a third have taken action to rectify the issue in the intervening two-and-a-half years...
There have been a variety of efforts to improve upon the almost two-decade-old OpenSSL software library’s implementation of TLS encryption, most coming after the discovery of Heartbleed. Stripped down competitors include LibreSSL, a fork maintained by the group behind the OpenBSD operating system, BoringSSL, a version designed for Google projects (Android 6.0 and above and Chrome use BoringSSL), and more recently BearSSL. BearSSL is designed for high-performance implementations such as in IoT platforms where small size and efficiency are key.
However, research from High-Tech Bridge from the first half of 2016 found that in fact only 0.43 per cent of websites tested were vulnerable to Heartbleed, but an enormous 23 per cent were still vulnerable to POODLE, or "Padding Oracle On Downgraded Legacy Encryption".