According to research from Venafi, a vast majority of the world's top businesses are still vulnerable to Heartbleed, which was disclosed a year ago this month.
The OpenSSL flaw impacted organizations both large and small, but the latest figures show that 74-percent of the Global 2000 remain vulnerable.
Heartbleed (CVE-2014-0160) was fully disclosed on April 7, 2014. The problematic code was originally introduced to the OpenSSL platform in 2012, but remained undetected until researchers performed an audit.
Heartbleed came about due to a flaw in the OpenSSL implementation of the TLS/DTLS heartbeat functionality. If exploited, an attacker could gain access to SSL private keys, usernames and passwords submitted to applications or services running on the server, or session tokens and cookies.
The most notable attack to leverage Heartbleed was the one against Community Health Systems (CHS), where the flaw was used to gain access to credentials on a Juniper device.
Those credentials were then used to login to the CHS VPN. In the end, the attackers were able to compromise 4.5 million patient records.
The CHS breach was disclosed in an 8-K filing to the U.S. Securities and Exchange Commission. CHS later hired Mandiant to help with the aftermath of the incident, and the firm promptly blamed actors in China known as APT 18.
The latest research from Venafi, conducted by the company using their cloud-based certificate reputation service, discovered that 76-percent of the Global 2000's public-facing systems were still vulnerable to Heartbleed.
There were four steps to eliminating Heartbleed, and most organizations only completed one or two of them, the most common being updating OpenSSL.
After that, new keys needed to be generated, and new certificates needed to be issued and installed, after the old certificates were revoked. The majority of those still impacted by this issue have never generated new keys, nor have they installed new certificates.
"It would seem based on the trend of replacing keys only for impending certificate expirations that organizations have either given up on trying to fully remediate this massive vulnerability or simply don’t grasp the gravity of the situation," commented Gavin Hill, director of product marketing and threat intelligence at Venafi.
"I believe that there are two additional reasons for such poor Heartbleed remediation. As described by Gartner, “lazy” remediation—when organizations fail to replace the private key or fail to revoke the old certificate—shows that organizations do not understand that once the private key is exposed, everything is exposed. Another probable reason for the lack of Heartbleed remediation is that organizations simply don’t see the impact yet."
Update:
Errata Security's Robert Graham, who has seen the claims from the Venafi report, as well as the media coverage it's generated, feels the starts are lies.
"An unknown company 'Venafi' is suddenly in the news implying 75% of major systems are still vulnerable to Heartbleed. This deserves a rating of "liar liar pants on fire'," Graham wrote on the company blog.
"The issue isn't patches but certificates. Systems are patched, but while they were still vulnerable to Heartbleed, hackers may have stolen the certificates. Therefore, the certificates need to be replaced. Not everyone has replaced their certificates, and those that have may have done so incorrectly (using the same keys, not revoking previous). Thus, what the report is saying is that 75% haven't properly updated their certificates correctly. Naturally, they sell a solution for that problem."
Graham goes on to note that only a small number of systems were actually vulnerable to Heartbleed in the first place, making the stats in the Venafi report slanted. Graham's blog post is here.