Heartbleed one month later, at least 300k servers are still vulnerable

Security researcher Robert Graham published the results of recent global scan searching for Heartbleed vulnerable systems. 300k systems are still vulnerable

Heartbleed flaw is a bug disclosed more than a month ago, which affected OpenSSL library with serious repercussion on most common encryption services we daily use.

Encrypted communications, mobile platforms, VPN and Tor networks are just a few samples of the extension of the Hartbleed impact, but which is the status today of the affected systems more than a month since it was publicly disclosed?Security researcher Robert David Graham has estimated that there are more than 300,000 servers still vulnerable to the flaw, as he has written in a blog post on the Errata Security.

The expert has compared the results of global internet scan made recently with the results obtained one month ago, 318,239 systems are still vulnerable to OpenSSL Heartbleed flaw and this news is very alarming considering the availability of the fix. The number of servers which support the flawed version of OpenSSL library is over 1.5 million.

Screenshot-Test-your-server-for Heartbleed

“I’d rescan the Internet (port 443) to see how many systems remain vulnerable. Whereas my previous scan a month ago found 600,000 vulnerable systems, today’s scan found roughly 300,000 thousand systems (318,239 to be precise).” said Graham.

Last month Graham discovered one million systems supporting the “heartbeat” feature and nearly one third was patched, after the recent scan the number of systems is passed to 1.5-million but just 300k were patched. The researcher hypothesized that the first response to the bug was to disable the library and later, after the patching of the flaw, heartbeats were re-enabled.

After the disclosure of Heartbleed bug many administrators have adopted defensive measures (e.g. Firewall) to protect their systems from attacks exploiting the flaw, as a consequence the number of servers supporting SSL discovered by the scan is passed from 28 million to 22 million. 22 million is the number of systems responding to the SSL handshake, consider that there are many more systems that respond to the probe, but which do not talk SSL.

“The numbers are a little strange. Last month, I found 28-million systems supporting SSL, but this month I found only 22-million. I suspect the reason is that this time, people detected my Heartbleed “attacks” and automatically firewalled me before the scan completed. Or, another problem is that I may have more traffic congestion at my ISP, which would reduce numbers. (I really need to do a better job detecting that),” said Graham.

300,000 vulnerable systems are really a significant number, the risk related to the exposure of sensitive information is high.

Security experts fear that cyber criminals and state-sponsored hackers could be advanced by the presence of so large a number of vulnerable systems.

The results presented by Graham are part of the analysis conducted only on port 443, the researcher has already announced that he will try to scan for other well-known SSL ports, like SMTP.

Let’s see what happen!

Pierluigi Paganini

(Security Affairs – Heartbleed, hacking)