Heartbleed: Websites Are Patched, But VPNs Still At Risk

The Heartbleed security flaw remains a risk to enterprises, two weeks after first being publicly disclosed.

The Heartbleed bug is technically a security vulnerability in the open-source OpenSSL cryptographic library, which is widely used on Web servers and embedded devices. The OpenSSL project provided a patch for the Heartbleed flaw on 7 Apri, and organisations around the world have scrambled since then to implement the patch.

Big sites are Heartbleed proof

According to an analysis by security firm Sucuri, as of 17 April, 2 percent, or 20,320 of the top 1 million sites ranked by Amazon’s Alexa service were still vulnerable to the Heartbleed vulnerability.

While Web servers remain a key target for the Heartbleed vulnerability, they aren’t the only Internet technology that is at risk. Virtual private network (VPN) technology today is often deployed in the form of SSL-VPN, which has now been identified as also being under attack from Heartbleed. Security research group Mandiant, which became part of FireEye by way of a $1 billion acquisition earlier this year, is reporting that one of its clients was attacked by way of Heartbleed on a vulnerable SSL-VPN.

“Beginning on April 8, an attacker leveraged the Heartbleed vulnerability against a VPN appliance and hijacked multiple active user sessions,” Mandiant security researchers wrote in a blog post. “Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS Web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users.”

Heartbleed attack on SSL-VPN

It’s not terribly surprising that an SSL-VPN could be at risk, especially on 8 April. While the open-source OpenSSL project had a patch available on 7 April, it has taken time for individual vendors to properly package the patch. It also takes time for users to patch the actual technology that is in use.

What is surprising about the Mandiant discovery, however, is the fact that the attack the company’s security researchers monitored also bypassed the multi-factor authentication in place at the victim’s enterprise. Multi-factor authentication is supposed to help limit the risk of a single flaw like Heartbleed from exposing a user’s password. With multi-factor authentication, sometimes known as two-factor authentication, or 2FA, a randomly generated second factor is used to gain access.

So what does this all mean to enterprise users?

It means that, in addition to making sure that Web servers and sites are secured and protected against Heartbleed, it is imperative that all organisations update and secure all their Web-facing technologies. Those technologies include VPNs as well as all the associated user passwords that are linked to them.

It’s no small task, but the new research from Mandiant also illustrates that the risk is real.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Love IT security? Try our quiz!

Originally published on eWeek.

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

10 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

12 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

13 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

14 hours ago