A month after Heartbleed, many servers are still vulnerable

A month has passed since the existence of the OpenSSL Heartbleed bug has been shared with the public.

Given that this open-source implementation of the SSL and TLS protocols is used in many operating system and apps, not to mention being the default encryption engine for popular Web server software, it’s a given that fixing this mess will take some time.

Rob Graham of Errata Security has decided to check the current situation. His initial scan of Internet IPv4 addresses (only on port 443), made almost immediately after the discovery of the bug, unearthed over 600,000 vulnerable systems. The latest scan he performed in these last few days shows around 300,000 affected systems.

He noted, though, that this time around he found around 6 million less systems supporting SSL.

“I suspect the reason is that this time, people detected my Heartbleed ‘attacks’ and automatically firewalled me before the scan completed. Or, another problem is that I may have more traffic congestion at my ISP, which would reduce numbers,” he hypothesized.

Opera Software developer Yngve Pettersen has also been tracking the patching of the Heartbleed issue.

To do it, he uses a tool dubbed TLS Prober, which “currently scans a set of about 500 000 separate servers, using variations of host names in various domains (in total 23 million), with a selection bias towards Alexa Top million sites.”

He started scanning a few days after the revelation of the existence of the bug, and has noted that the number of vulnerable servers have trended sharply downward – that is, until two weeks ago.

After analyzing the results, he concluded that “The reason the absolute number of vulnerable BigIP servers has been holding steady is that the number of BigIP servers including those using OpenSSL 1.0.1 (which supports Heartbeat) has doubled in the past month (after a slow decline over the past two years), and that many of the new servers using the OpenSSL mode were using a vulnerable version.”

He also noted that the in his most recent scan, 20% of the currently vulnerable servers (as distinguished by IP addresses), and 32% of the vulnerable BigIP servers, were actually not vulnerable when scanned before.

While he admits that the numbers might not be entirely correct due to the fact that some of these servers have not stayed on the same IP address, but also pointed out that the media frenzy following the discovery of the bug might have made some sysadmins believe that their systems were affected.

“This, perhaps combined with administrative pressure and a need to ‘do something’, led them to upgrade an unaffected server to a newer, but still buggy version of the system, perhaps because the system variant had not yet been officially patched,” he assumes.

Update: Thursday, 15 May 2014. – The researcher comments: “After closer investigation together with F5, it seems that, due to an issue with the network connection of the prober the test used to detect F5 BigIP server showed higher numbers than it should have, and the numbers of such servers therefore got very inflated for the scans that were run in the past month. This means that the BigIP related information and conclusions are not correct, and I have therefore moved down and struck out the section regarding BigIP servers. My apologies to F5 and their customers for this mistake.”