Vendors slow to patch OpenSSL vulnerabilities

Several key technology vendors are yet to fully patch against the OpenSSL cryptographic library used to secure networked communications, a leading Australian security researcher has warned.

Australia's sysadmins are suffering from "vulnerability mitigation fatigue".

The Heartbleed vulnerability in OpenSSL, first revealed to the public in April this year, makes it possible for attackers to tap into what was thought to be secure, encrypted communications unnoticed.

After a more thorough audit of the open source crypto library, further vulnerabilities were discovered that could lead to denial of service attacks and arbitrary code execution.

The list of products affected by the OpenSSL vulnerabilities is long and deep, ranging from servers to clients, database backup systems and printers; mobile phones, hypervisors - almost any IT product or service conceivable.

Information security analyst Marco Ostini, who works at the Australian Computer Emergency Response Team (AusCERT) at the University of Queensland, says the OpenSSL vulnerabilities are not restricted to server-side computing. They are close to being ubiquitous, affecting almost every operating system, he said.

This includes clients as well as embedded devices such as home broadband routers, many of which are yet to receive firmware patches for the OpenSSL vulnerabilites. 

Other network devices such as smart televisions, wireless Wi-Fi access points, industrial SCADA control systems, payment gateways, automatic teller machines and point of sale systems may still be vulnerable, Ostini warned, and the fixes have been coming in at too slow a pace.

"The slow release of patches from some vendors, and then the slow pushing of patches over so many products from sysadmins and ordinary users at home, seem to highlight that Heartbleed and it's cousins will be causing grief for some time to come. It may end up being instrumental in some significant breaches to come," Ostini told iTnews.

Google's Android mobile operating system version 4.1.1 accounts for almost a third of all installations but has yet to see a patch against the OpenSSL vulnerability.

Blackberry is another vendor that was very late to patch many of its vulnerable products, Ostini noted. 

"In the process [of patching for OpenSSL vulnerabilities] credentials, private keys and other sensitive data would almost certainly have been stolen," Ostini said.

The scale of the problem is compounding the difficulty of all parties rectifying the issue, he said. 

"Consider the plight of the poor sysadmin who's job it is to patch all the products that are vulnerable to Heartbleed, drop certificates and install new ones, and cause much annoyance to their employer in the process with their necessary disruptions," he said. "Now consider that
poor sleep-deprived person being required to do it all again for the batch of seven OpenSSL vulnerabilies." 

The industry is suffering from what he calls "vulnerability mitigation fatigue".

"Even with the best intentions and processes, it can slow the response down, so that the necessary updates aren't being urgently applied," Ostini said.

Less than two weeks ago, security resercher Robert Graham of Errata Sec launched a mass scan of internet-connected systems and found that over 300,000 were vulnerable to Heartbleed, two months after the alert went out.

"This indicates that people have stopped even trying to patch," the researcher said.

"Even a decade from now, I still expect to find thousands of systems, including critical ones, still vulnerable."

Are you suffering from 'vulnerability mitigation fatigue'? How many hours have you spent mitigating OpenSSL vulnerabilities? Comment below or drop us an email.