New research has revealed that despite nearly all Global 2000 enterprises moving to patch their public-facing servers against Heartbleed, most remain vulnerable due to other missteps in the cleanup process.
The report, based on data taken from a Heartbleed scan by key management technology vendor Venafi, showed that 99% of the nearly 460,000 Heartbleed-vulnerable hosts at Global 2000 organizations had been patched against the OpenSSL vulnerability. That impressive patching effort was undercut, however, by organizations that failed to generate new encryption keys, issue new security certificates or revoke their old certificates, all of which are necessary to completely remediate Heartbleed.
The report noted that only 387 of the Global 2000 organizations had performed all of the necessary remediation steps, with 449,000 hosts – 97% of those that were vulnerable – at 1,639 organizations had only been partially remediated. The research did not break down how many organizations failed to complete each of the three necessary remediation steps after patching against Heartbleed.
Update: Venafi provided further clarification on the statistics included in the report. Of the servers that had been partially remediated, 51% had new certificates but not new private keys, while 49% had both new keys and certificates but had not completed the revocation process.
Kevin Bocek, vice president of security strategy and threat intelligence for Venafi, said that failing to fully complete the Heartbleed cleanup process would leave organizations open to a variety of possible attacks. For example, if an enterprise did not swap out a compromised SSL key, an attacker could still utilize that to decrypt communications and spoof Web services, regardless of whether the company had applied the appropriate OpenSSL patch and issued new certificates. If a compromised certificate isn't replaced, Bocek said, malicious actors could still commit man-in-the-middle attacks as it would still be considered valid.
Bocek also emphasized that Venafi's Heartbleed scan only took into account public-facing services, but his experience with customers has informed him that thousands of applications also remain vulnerable while sitting behind a firewall. He added that organizations are typically less consistent when it comes to vulnerability remediation when firewalls are in place, even though attackers are still capable of taking advantage of such weaknesses.
Though the severity of Heartbleed may depend on a specific system or organization, Bocek said that similar problems have occurred in the past and organizations have repeatedly been plagued by an inability to rotate keys and certificates. This research will hopefully force organizations to revisit their Heartbleed response efforts, he added, but the incident also delivers a larger message about the need to expand incident response capabilities.
"At this point, organizations have clearly moved on from thinking about Heartbleed," said Bocek. "But, there are only going to be more complex incidents in the future, and we all need to get better at responding to them."
Need to know more about Heartbleed? Learn how the huge number of revoked certificates after Heartbleed caused issues for the entire Internet, and read resident threat expert Nick Lewis' take on the incidence response lessons stemming from Heartbleed.