Heartbleed – A Bigger Threat Than Meets the Eye

The Heartbleed Bug took the world by storm the moment the vulnerability became public. Heartbleed Bug is a serious vulnerability in the widely used OpenSSL cryptographic library. This weakness allows theft of data resident in the server’s memory, which generally comprises SSL/TLS encrypted information, including the server’s SSL private keys.

According to Netcraft’s April 2014 Web Server Survey, it was estimated that when the Heartbleed Bug was announced, the two most widely used open source web servers, Apache and nginx, contained a version of OpenSSL that was vulnerable to the Heartbleed Bug. The combined market share of Apache and nginx alone constitutes to over 66% of active sites on the Internet.

However, the story of the Heartbleed Bug does not simply end at Apache and nginx. Hundreds of other services, application software and operating systems make use of OpenSSL for purposes that might be entirely unrelated to delivering pages over HTTPS.

This puts the number of Heartbleed victims at a much larger number when services such as email servers (SMTP, POP and IMAP protocols), FTP servers, chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client-side software.

Network Scans performed using Acunetix Online Vulnerability Scanner (OVS) can detect the Heartbleed Bug in web servers and other services too.

heartbleed screenshot

Click to enlarge

Acunetix OVS will also provide detailed information as to which services are affected by the Heartbleed Bug. In the case of the screenshot above, Acunetix OVS has detected that an FTP server running on an installation of Ubuntu 12.04 LTS (listening on TCP port 21) is vulnerable to the Heartbleed Bug.

Additionally, Acunetix OVS provides details on how to fix the vulnerability, together with detailed information about the vulnerability.

Share this post

Leave a Reply

Your email address will not be published.


*