Vendors slow to patch OpenSSL vulnerabilities

Powered by SC Magazine
 

Heartbleed is far from over.

Several key technology vendors are yet to fully patch against the OpenSSL cryptographic library used to secure networked communications, a leading Australian security researcher has warned.

The Heartbleed vulnerability in OpenSSL, first revealed to the public in April this year, makes it possible for attackers to tap into what was thought to be secure, encrypted communications unnoticed.

After a more thorough audit of the open source crypto library, further vulnerabilities were discovered that could lead to denial of service attacks and arbitrary code execution.

The list of products affected by the OpenSSL vulnerabilities is long and deep, ranging from servers to clients, database backup systems and printers; mobile phones, hypervisors - almost any IT product or service conceivable.

Information security analyst Marco Ostini, who works at the Australian Computer Emergency Response Team (AusCERT) at the University of Queensland, says the OpenSSL vulnerabilities are not restricted to server-side computing. They are close to being ubiquitous, affecting almost every operating system, he said.

This includes clients as well as embedded devices such as home broadband routers, many of which are yet to receive firmware patches for the OpenSSL vulnerabilites. 

Other network devices such as smart televisions, wireless Wi-Fi access points, industrial SCADA control systems, payment gateways, automatic teller machines and point of sale systems may still be vulnerable, Ostini warned, and the fixes have been coming in at too slow a pace.

"The slow release of patches from some vendors, and then the slow pushing of patches over so many products from sysadmins and ordinary users at home, seem to highlight that Heartbleed and it's cousins will be causing grief for some time to come. It may end up being instrumental in some significant breaches to come," Ostini told iTnews.

Google's Android mobile operating system version 4.1.1 accounts for almost a third of all installations but has yet to see a patch against the OpenSSL vulnerability.

Blackberry is another vendor that was very late to patch many of its vulnerable products, Ostini noted. 

"In the process [of patching for OpenSSL vulnerabilities] credentials, private keys and other sensitive data would almost certainly have been stolen," Ostini said.

The scale of the problem is compounding the difficulty of all parties rectifying the issue, he said. 

"Consider the plight of the poor sysadmin who's job it is to patch all the products that are vulnerable to Heartbleed, drop certificates and install new ones, and cause much annoyance to their employer in the process with their necessary disruptions," he said. "Now consider that
poor sleep-deprived person being required to do it all again for the batch of seven OpenSSL vulnerabilies." 

The industry is suffering from what he calls "vulnerability mitigation fatigue".

"Even with the best intentions and processes, it can slow the response down, so that the necessary updates aren't being urgently applied," Ostini said.

Less than two weeks ago, security resercher Robert Graham of Errata Sec launched a mass scan of internet-connected systems and found that over 300,000 were vulnerable to Heartbleed, two months after the alert went out.

"This indicates that people have stopped even trying to patch," the researcher said.

"Even a decade from now, I still expect to find thousands of systems, including critical ones, still vulnerable."

Are you suffering from 'vulnerability mitigation fatigue'? How many hours have you spent mitigating OpenSSL vulnerabilities? Comment below or drop us an email.

Copyright © iTnews.com.au . All rights reserved.


Vendors slow to patch OpenSSL vulnerabilities
Australia's sysadmins are suffering from "vulnerability mitigation fatigue".
 
 
 
Top Stories
Making a case for collaboration
[Blog post] Tap into your company’s people power.
 
Five zero-cost ways to improve MySQL performance
How to easily boost MySQL throughput by up to 5x.
 
Tracking the year of CIO churn
[Blog post] Who shone through in 12 months of disruption?
 
 
Australia's sysadmins are suffering from "vulnerability mitigation fatigue".
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  69%
 
Advanced persistent threats
  4%
 
Unpatched or unsupported software vulnerabilities
  11%
 
Denial of service attacks
  6%
 
Insider threats
  11%
TOTAL VOTES: 1074

Vote