Software Integrity

 

2 years later, 200K+ IP addresses remain vulnerable to Heartbleed

The numbers aren’t impressive. In the first month after the Heartbleed vulnerability was disclosed in April 2014, nearly 300K IP address patched their systems. But over the course of the next 22 months, only one third of the remaining vulnerable systems were patched. That means roughly 200K systems remain vulnerable worldwide today.

Heartbleed is a SSL/TLS vulnerability found in certain older versions of OpenSSL. As issued by Standard for Information Security Vulnerability Names maintained by MITRE, Heartbleed is officially known as CVE-2014-0160. It was independently co-discovered in April 2014 by the Synopsys research team in Finland (formerly Codenomicon and by Neel Mehta of Google’s security team. According to Mark Cox at OpenSSL “the coincidence of the two finds of the same issue at the same time increases the risk while this issue remained unpatched. OpenSSL therefore released updated packages [later] that day.” Officially the world first learned about the Heartbleed vulnerability on April 7, 2014, when the open source organization OpenSSL issued a fix.

We asked independent security researcher Billy Rios to analyze just over 300 gigs of data from Censys.io/Scans.io representing scanned results from 50 million IP addresses running SSL/TLS during the week of March 14, 2016. The base of 50 million is from a ZMap SYN Scan of port 443 for all Internet facing IPs. If port 443 is open, a follow up ZGrab request is made which grabs the TLS handshake along with a request to see if the server support the Heartbeat extension.

ssl error

Total Systems: 50,904,173
Systems with SSL Errors: 13,657,294
Our analysis found that 27 percent of the systems running SSL contained errors. These errors can include broken implementations and misconfigurations, among other reasons.

heartbleed enabled

Total Systems: 50,904,173
Heartbeat Enabled: 8,212,757
Systems that are heartbeat enabled represent only 16 percent of the total SSL/TLS traffic.

"heartbleed

Total Systems: 50,904,173
Still vulnerable to Heartbleed: 213,592
The good news is that of the 50 million systems running SSL/TLS, only 3 percent are heartbeat enabled are vulnerable to Heartbleed. Unfortunately there is a lot of work left to be done and progress on completing that work has slowed to a stop.

"heartbleed

On April 9, 2014, around the time of the disclosure, independent security researcher Robert Graham estimated there were about 615,268 IP addresses vulnerable to Heartbleed. One month later, on May 8, 2014, Graham reported the number to have dropped to 318,239. And, roughly six weeks later, he reported that number had fallen to 309,197.

In upcoming blogs we’ll discuss how Heartbleed was first discovered, what common assumptions people make about the security of open source software, and why so many IP addresses remain vulnerable today.