The world continues to recover from the revelation of the Heartbleed vulnerability in many versions of OpenSSL, with Web sites, vendors and organizations scouring their systems for the problem.
According to ComputerWorld U.S., by the end of last week all of the world’s top 1,000 Web sites had been patched. However, a security firm estimates that tens of thousands of other sites still put users at risk.
That risk was demonstrated shortly after the vulnerability was revealed when Revenue Canada admitted that someone had used it to make off with some 900 social insurance numbers in the tax department’s database. A London, Ont., student was charged.
Meanwhile, staffers at security vendor Mandiant report in a blog that there have been other successful attacks using the exploit that went beyond an attacker stealing private encryption keys from a Web server.
Beginning on April 8, an attacker leveraged the Heartbleed vulnerability against a VPN appliance and hijacked multiple active user sessions, the staffers said. “The attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users. With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated. The attack bypassed both the organization’s multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.”
Reports like this make it imperative that organizations of all sizes inventory all software and hardware connected to the network and find out the status from their vendors and suppliers. Because vendors have long lists of products to go through, it will likely mean checking daily on their Web sites for the latest news.
It will also be essential to keep an eye on network traffic. Mandiant and others note that since the vulnerability only exposes up to 64kb of data from memory, attackers have to send hundreds of attempts to get at information.
Mandian also advises that if possible, also go through old VPN logs to see if an IP address of a session changed repeatedly between two IP addresses. “It is common for an IP address to legitimately change during a session, but from our analysis it is fairly uncommon for the IP address to repeatedly change back and forth between IP addresses that are in different network blocks, geographic locations, from different service providers, or rapidly within a short time period,” the company says.