In-brief: more than three years after it was first discovered, the Heartbleed vulnerability in OpenSSL continues to plague organizations worldwide. Why has it been so hard to fix? In this Industry Perspective, Patrick Carey of the firm Black Duck talks about some of the complicating factors that make vulnerabilities like Heartbleed so hard to eradicate.
In Brief: Although severe, a new vulnerability in OpenSSL that allows an attacker to impersonate a trusted CA serveris expected to have minimal impact. OpenSSL today issued a high severity advisory warning of forged certificates. During certificate verification, the alert says OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. This could allow an adversary to impersonate a trusted CA server and eavesdrop on otherwise encrypted communication. Fortunately, the flaw only affects versions of OpenSSL released last month and not yet available in some OSs such as Ubuntu. Affected versions are OpenSSL 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. Despite the severity, experts expect the overall impact will be minimal. “Exploiting the OpenSSL vulnerability (CVE-2015-1793) is not quick or easy, making it nowhere near as serious as Heartbleed,” said Veracode’s Vice President of Research Chris Eng in an email. “For starters, an […]
In-brief: Three quarters of Global 2000 organizations have yet to fully remediate the Heartbleed vulnerability one year after it was discovered, according to a study by the firm Venafi.
The security firm TrustedSec said in a blog post on Tuesday that a recent hack of the healthcare network Community Health Services was the result of an attack on the so-called “Heartbleed” vulnerability in OpenSSL. According to TrustedSec, attackers targeted vulnerable VPN (virtual private network) software from Juniper networks in a breach that affected an estimated 4.5 million patients. TrustedSec cited a “trusted and anonymous source close to the CHS investigation” in its blog post. It said attackers were able to glean user credentials from memory on a CHS Juniper device by exploiting the Heartbleed vulnerability. Those credentials were used to login via the VPN to CHS’s network, then move laterally to the servers containing the patient data. [Read more Security Ledger coverage of the Heartbleed vulnerability here.] A separate report by Bloomberg attributed the attack to hackers in China, though it did not provide any evidence linking the attackers to a specific Chinese […]
The dangerous security hole in OpenSSL known as “Heartbleed” has (mostly) faded from the headlines, but that doesn’t mean it isn’t still dangerous. As this blog has noted, the Heartbleed vulnerability was patched quickly on major platforms like Apache and nginx and by high profile service providers like Google and Facebook. But it still has a long tail of web applications that aren’t high risk (i.e. directly reachable via the Internet) and embedded devices that use OpenSSL or its various components. As the folks over at Acunetix note in a blog post today, hundreds of other services, application software and operating systems make use of OpenSSL for purposes that might be entirely unrelated to delivering pages over HTTPS. This includes all the email servers (using SMTP, POP and IMAP protocols), FTP servers, chat servers (XMPP protocol), virtual private networks (SSL VPNs), and network appliances that use OpenSSL or its components. The number of systems vulnerable to […]
