Software Integrity Blog


2 years later, 200K+ IP addresses remain vulnerable to Heartbleed

The numbers aren’t impressive. In the first month after the Heartbleed vulnerability was disclosed in April 2014, nearly 300,000 IP addresses patched their systems. But over the course of the next 22 months, only one-third of the remaining vulnerable systems were patched. That means roughly 200,000 systems remain vulnerable worldwide today.

Heartbleed is a SSL/TLS vulnerability found in certain older versions of OpenSSL. As issued by CVE, the Standard for Information Security Vulnerability Names maintained by MITRE, Heartbleed is officially known as CVE-2014-0160. It was independently co-discovered in April 2014 by the Synopsys research team in Finland (formerly Codenomicon) and by Neel Mehta of Google’s security team. According to Mark Cox at OpenSSL, “The coincidence of the two finds of the same issue at the same time increases the risk while this issue remained unpatched. OpenSSL therefore released updated packages [later] that day.” Officially the world first learned about the Heartbleed vulnerability on April 7, 2014, when the open source organization OpenSSL issued a fix.

We asked independent security researcher Billy Rios to analyze just over 300 GB of data from representing scanned results from 50 million IP addresses running SSL/TLS during the week of March 14, 2016. The base of 50 million is from a ZMap SYN Scan of port 443 for all internet-facing IPs. If port 443 is open, a follow-up ZGrab request is made, which grabs the TLS handshake along with a request to see if the server supports the Heartbeat extension.

27% of systems running SSL have SSL errors.

Total systems: 50,904,173
Systems with SSL errors: 13,657,294
Our analysis found that 27% of the systems running SSL contained errors. These errors can include broken implementations and misconfigurations, among others.

16% of systems running SSL are heartbeat-enabled.

Total systems: 50,904,173
Heartbeat-enabled: 8,212,757
Systems that are heartbeat-enabled represent only 16% of the total SSL/TLS traffic.

3% of systems running SSL are heartbeat-enabled and vulnerable to Heartbleed.

Total systems: 50,904,173
Still vulnerable to Heartbleed: 213,592
The good news is that of the 50 million systems running SSL/TLS, only 3% are heartbeat-enabled and vulnerable to Heartbleed. Unfortunately, there is a lot of work left to be done, and progress on completing that work has slowed to a stop.

Systems affected by Heartbleed

On April 9, 2014, around the time of the disclosure, independent security researcher Robert Graham estimated there were about 615,268 IP addresses vulnerable to Heartbleed. One month later, on May 8, 2014, Graham reported the number to have dropped to 318,239. And roughly six weeks later, he reported that number had fallen to 309,197.

In upcoming blogs we’ll discuss how Heartbleed was first discovered, what common assumptions people make about the security of open source software, and why so many IP addresses remain vulnerable today.


More by this author