Two Year Anniversary for Heartbleed: Still Many Vulnerable Devices
April 8, 2016 • RBS
Heartbleed, the ‘named’ vulnerability that received a huge amount of attention. While not the first to be named, it started the now (in)famous trend of researchers naming their vulnerability discoveries to get attention, and it also lead to a positive change: Vendors and enterprises started focusing more on vulnerabilities in 3rd party libraries.Doing a search on Shodan.io, there are currently 224,858 Internet connected systems still vulnerable to Heartbleed. The top 5 countries are United States, Germany, China, France, and United Kingdom in that order.
Digging a bit more into the results, many of the affected systems are actually appliances or devices that either haven’t been patched or do not even have patches available. Of these, we found a lot of Fortinet appliances, but also many vulnerable DVR systems from various vendors including Hikvision, ABUS, Swann, and FLIR Lorex. We also found vulnerable Polycom SoundPoint IP phones, various access points and routers, WatchGuard firewalls, Western Digital, Synology, and QNAP storage devices, digital signage, and printers.
There are several tools available to check if your servers and devices are still affected by Heartbleed. Every organization should test to ensure you do not have sensitive devices spilling too much information to attackers via the Internet. If you do, make sure to apply the latest firmware updates if any are available from your vendor. If your vendor still has not released updates, you should question how serious the vendor is about security.
Tracking vulnerabilities in 3rd party libraries is critical not only to device vendors, who bundle these in their products, but also to enterprises using these products to understand when they are vulnerable. It may be a painful task, but it is important to do.We continue to invest heavily into our VulnDB solution to assist organizations that need help monitoring vulnerabilities affecting devices in your infrastructure, with a significant focus on 3rd-party Libraries.