Half of servers tested by Qualys labs are vulnerable to the most recently-discovered OpenSSl flaw.
According to Qualys, after the advisory was published on June 5th it has been testing a remote check for the flaw and satisfied that the test is identifying vulnerable hosts correctly, a scan run against the SSL Pulse dataset found that about 49 per cent servers are vulnerable, and around 14 per cent of the total number are exploitable because they’re running a newer version of OpenSSL.
“The rest are probably not exploitable, but should be upgraded because it’s possible that there are other ways to exploit this problem,” said Ivan Ristic, director of engineering at Qualys. “The CVE-2014-0224 vulnerability will be the most problematic for most deployments because it can be exploited via an active network (man in the middle) attack. Although virtually all versions of OpenSSL are vulnerable, this problem is exploitable only if (1) both sides use OpenSSL and (2) the server uses a vulnerable version of OpenSSL from the 1.0.1 branch.”
Craig Young, security researcher at Tripwire, said: “In CVE-2014-0224, an attacker who is able to intercept traffic between a vulnerable client and a vulnerable server can then compromise the confidentiality and integrity of client/server communications. Although this is definitely important to fix, it does not allow an attacker to take control, crash, or disclose information from a victim.
“This latest OpenSSL vulnerability, as well as the recently discovered GNUTLS vulnerability, demonstrates that Heartbleed is not a single isolated event — these types of vulnerabilities are being discovered continuously,” said Ken Westin, security analyst at Tripwire.
“The magnitude of Heartbleed provided a great deal of visibility around these types of vulnerabilities, but many IT teams think that once they patch for it their risk is completely mitigated. In fact, this pattern of vulnerabilities exposes the need to develop a comprehensive vulnerability management strategy. In order to reduce risk you must be able to continuously monitor your environments for new vulnerabilities as they are discovered.”