The Heartbleed security hole in the open source OpenSSL cryptographic library continues to cause headaches for admins, as new details emerge on just how widespread and exploitable it is.
Performance and security content delivery network provider Cloudflare has shown through a competition that it is indeed possible to retrieve private keys for digital certificates using Heartbleed to remotely read memory on web servers running vulnerable versions of OpenSSL.
Four people were able to snag the private key for the web server through Heartbleed, something Cloudflare earlier erroneously considered impossible.
The company now says that based on the results of the competition, everyone should revoke and reissue their private Secure Sockets Layer certificate keys.
Heartbleed leaves no trace of attacks that siphon off the contents of vulnerable systems memory, making it impossible to estimate how much private information has been captured over the two years the vulnerability in the popular OpenSSL library has existed.
Reverse heartbleed client vulnerability
Magnifying the Heartbleed problem, it's not just servers that are vulnerable, but also client systems running affected versions of OpenSSL.
Web collaboration company Meldium discovered it is possible to set up a malicious server that can send out bad Transmission Layer Security (TLS) heartbeat packets to clients and extract the contents of their memory.
"We've found that vulnerable clients can actually be made to send hundreds of 16 kilobyte chunks of memory back, making it much easier to explore the client's memory space," Meldium wrote.
Open agents or clients that execute such tasks as previewing links, file sharing apps, identity federation protocols such as OpenID and application programming interface consumers for integration across websites are potentially vulnerable to "reverse heartbleed" if they utilise vulnerable versions of OpenSSL.
Meldium has set up a public testing tool to check for Reverse Heartbleed vulnerabilities in clients.
Embedded devices, routers may need patching
Billions of devices that use OpenSSL could also be vulnerable to Heartbleed, and these will be harder to remedy.
Networking infrastructure vendor Cisco issued a Heartbleed security advisory covering several of its products, ranging from switches to the Webex Messenger and Jabber clients, to access gateways, Telepresence systems and more.
An unknown number of consumer grade devices such as broadband routers are thought to be vulnerable to Heartbleed, with no patches available. Security commentator Bruce Schneier said for these "an upgrade path that involves the trash, a visit to [retailer] Best Buy, and a credit card isn't going to be fun for anyone."
According to Forbes, Google has acknowledged that Android 4.1.1 is vulnerable to Heartbleed and has distributed patching information to its device partners. Android version 4.1.x is the most popular version of Google's operating system currently, garnering 34 percent market share.
Security vendor Trend Micro has scanned 390,000 apps from Google play, and found 1300 connect to servers vulnerable to Heartbleed. Fifteen of the apps are bank-related, Trend Micro said, and a further 39 used for online payments and another ten are online shopping ones, raising concerns as to customers financial transactions being compromised without notice.
Password changing frenzy
Meanwhile, users of providers that ran vulnerable services that have since been patched are nonetheless asked to change their passwords.
These include some of the largest and most popular properties on the web, such as Facebook, Instagram, LinkedIn, Pinterest, Tumblr, Google, Yahoo and Amazon Web Services as well as storage services such as Dropbox and Box.
Complicating the situation, customers often utilise multiple providers, leaving them with several sites to change passwords on. Phishing emails with bogus Heartbleed advisories, asking people to go to sites to change their passwords, are further adding to security woes. Users are advised not to click on "helpful" links in emails received.
While well-known providers were quick to patch their servers last week, despite the extensive publicity around Heartbleed, many thousands of websites around the world remain vulnerable.
University of Michigan has used its ZMap network scanning tool to monitor the top one million domains in Alexa since news of the vulnerability broke, and indications are that 6.2 percent of these are still open to Heartbleed.
ZMap is also finding vulnerable mail, instant messaging and voice over internet protocol servers, and believes Internet-wide Heartbleed attacks are underway.