Heartbleed: Websites Are Patched, But VPNs Still At Risk

Sean Michael Kerner

The Heartbleed OpenSSL flaw is fixed on websites – but security firms have spotted attacks on SSL VPNs, warns Sean Michael Kerner

The Heartbleed security flaw remains a risk to enterprises, two weeks after first being publicly disclosed.

The Heartbleed bug is technically a security vulnerability in the open-source OpenSSL cryptographic library, which is widely used on Web servers and embedded devices. The OpenSSL project provided a patch for the Heartbleed flaw on 7 Apri, and organisations around the world have scrambled since then to implement the patch.

Big sites are Heartbleed psheartbeat chalk board security flaw © Roobcio shutterstockroof

According to an analysis by security firm Sucuri, as of 17 April, 2 percent, or 20,320 of the top 1 million sites ranked by Amazon’s Alexa service were still vulnerable to the Heartbleed vulnerability.

While Web servers remain a key target for the Heartbleed vulnerability, they aren’t the only Internet technology that is at risk. Virtual private network (VPN) technology today is often deployed in the form of SSL-VPN, which has now been identified as also being under attack from Heartbleed. Security research group Mandiant, which became part of FireEye by way of a $1 billion acquisition earlier this year, is reporting that one of its clients was attacked by way of Heartbleed on a vulnerable SSL-VPN.

“Beginning on April 8, an attacker leveraged the Heartbleed vulnerability against a VPN appliance and hijacked multiple active user sessions,” Mandiant security researchers wrote in a blog post. “Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS Web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users.”

Heartbleed attack on SSL-VPN

It’s not terribly surprising that an SSL-VPN could be at risk, especially on 8 April. While the open-source OpenSSL project had a patch available on 7 April, it has taken time for individual vendors to properly package the patch. It also takes time for users to patch the actual technology that is in use.

What is surprising about the Mandiant discovery, however, is the fact that the attack the company’s security researchers monitored also bypassed the multi-factor authentication in place at the victim’s enterprise. Multi-factor authentication is supposed to help limit the risk of a single flaw like Heartbleed from exposing a user’s password. With multi-factor authentication, sometimes known as two-factor authentication, or 2FA, a randomly generated second factor is used to gain access.

So what does this all mean to enterprise users?

It means that, in addition to making sure that Web servers and sites are secured and protected against Heartbleed, it is imperative that all organisations update and secure all their Web-facing technologies. Those technologies include VPNs as well as all the associated user passwords that are linked to them.

It’s no small task, but the new research from Mandiant also illustrates that the risk is real.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Love IT security? Try our quiz!

 

Originally published on eWeek.