Research gives reason to double-check Heartbleed fix

System administrators rushing to fix the highly publicized Heartbleed vulnerability may have introduced the flaw into unaffected websites, a security researcher says.

Yngve Pettersen at Vivaldi Technologies recently found that the sites' servers, which had been unaffected by the OpenSSL bug, suddenly started appearing as having the vulnerability.

Why that is happening is not known, but in taking an educated guess, Pettersen believes sysadmins might have hastily upgraded an unaffected server without checking whether the software update had been patched. Those servers may have been running versions of OpenSSL before 1.0.1. The earlier versions were safe from the bug.

"My recommendation (to sysadmins) is to make haste slowly," Pettersen told CSOonline. "Don't cut corners and make sure you actually go to the right version of OpenSSL."

Since so-called Heartbleed bug was discovered in early April, Pettersen has been scanning roughly a half million websites listed on Alexa as among the top 1 million sites on the Web. Alexa is the Web analytics company owned by Amazon.

In scanning the sites Monday, Pettersen found 2.2 percent with the Heartbleed bug, which was about half the number at the peak. Roughly 3,000 sites that had been unaffected were found to contain the vulnerability.

While the numbers are small, they are still worth mentioning since the websites could be at risk of having data stolen by hackers.

Other researchers questioned whether Pettersen's findings meant servers were mistakenly being infected with Heartbleed.

"While it is possible that some administrators have upgraded to an insecure version of OpenSSL, it is also possible that his previous scans failed to reveal the vulnerability," Jeffrey Lyon, president and founder of DDoS mitigation company Black Lotus Communications, said.

Previous scans may have missed servers that were offline or the scans might have been blocked by an intrusion detection system (IDS), Lyon said.

"I would caution against drawing the conclusion that more top sites are becoming vulnerable to Heartbleed," he said.

Nevertheless, a few sysadmins might have moved too quickly, because of the intense media coverage of Heartbleed. Hundreds of thousands of websites contained the flaw that a cybercriminal could exploit to steal data flowing between a site and a browser.

Pettersen also found roughly 66,000 patched servers with the same digital certificates that were used before the OpenSSL fix was applied.

OpenSSL is the open-source implementation of SSL, a protocol used in encrypting data through the use of certificates that authenticate the server and browser.

While Pettersen's research is not definitive, it should be a warning to CSOs to at least ask sysadmins to double-check the work they did in patching Heartbleed.

"Upgrading from a non-vulnerable version of OpenSSL to a vulnerable version of OpenSSL is a substantial security problem," Curt Wilson, senior research analyst for Arbor Networks, said. "Organizations need to ensure that the correct, non-vulnerable version of OpenSSL is installed."

Tags softwareapplicationsapplication securityWeb serversAccess control and authenticationHeartbleedWeb site vulnerabiltywebsite securitywebsite risks

Show Comments