Heartbleed: Websites Are Patched, But VPNs Still At Risk

The Heartbleed security flaw remains a risk to enterprises, two weeks after first being publicly disclosed.

The Heartbleed bug is technically a security vulnerability in the open-source OpenSSL cryptographic library, which is widely used on Web servers and embedded devices. The OpenSSL project provided a patch for the Heartbleed flaw on 7 Apri, and organisations around the world have scrambled since then to implement the patch.

Big sites are Heartbleed proof

According to an analysis by security firm Sucuri, as of 17 April, 2 percent, or 20,320 of the top 1 million sites ranked by Amazon’s Alexa service were still vulnerable to the Heartbleed vulnerability.

While Web servers remain a key target for the Heartbleed vulnerability, they aren’t the only Internet technology that is at risk. Virtual private network (VPN) technology today is often deployed in the form of SSL-VPN, which has now been identified as also being under attack from Heartbleed. Security research group Mandiant, which became part of FireEye by way of a $1 billion acquisition earlier this year, is reporting that one of its clients was attacked by way of Heartbleed on a vulnerable SSL-VPN.

“Beginning on April 8, an attacker leveraged the Heartbleed vulnerability against a VPN appliance and hijacked multiple active user sessions,” Mandiant security researchers wrote in a blog post. “Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS Web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users.”

Heartbleed attack on SSL-VPN

It’s not terribly surprising that an SSL-VPN could be at risk, especially on 8 April. While the open-source OpenSSL project had a patch available on 7 April, it has taken time for individual vendors to properly package the patch. It also takes time for users to patch the actual technology that is in use.

What is surprising about the Mandiant discovery, however, is the fact that the attack the company’s security researchers monitored also bypassed the multi-factor authentication in place at the victim’s enterprise. Multi-factor authentication is supposed to help limit the risk of a single flaw like Heartbleed from exposing a user’s password. With multi-factor authentication, sometimes known as two-factor authentication, or 2FA, a randomly generated second factor is used to gain access.

So what does this all mean to enterprise users?

It means that, in addition to making sure that Web servers and sites are secured and protected against Heartbleed, it is imperative that all organisations update and secure all their Web-facing technologies. Those technologies include VPNs as well as all the associated user passwords that are linked to them.

It’s no small task, but the new research from Mandiant also illustrates that the risk is real.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Love IT security? Try our quiz!

Originally published on eWeek.

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago