The Heart bleed Bug took the world by storm the moment the vulnerability became public. Heart bleed Bug is a serious vulnerability in the widely used OpenSSL cryptographic library. This weakness allows theft of data resident in the server’s memory, which generally comprises SSL/TLS encrypted information, including the server’s SSL private keys.

According to Netcraft’s April 2014 Web Server Survey, it was estimated that when the Heart bleed Bug was announced, the two most widely used open source web servers, Apache and nginx, contained a version of OpenSSL that was vulnerable to the Heartbleed Bug. The combined market share of Apache and nginx alone constitutes to over 66% of active sites on the Internet.

However, the story of the Heart bleed Bug does not simply end at Apache and nginx. Hundreds of other services, application software and operating systems make use of OpenSSL for purposes that might be entirely unrelated to delivering pages over HTTPS.

This puts the number of Heart bleed victims at a much larger number when services such as email servers (SMTP, POP and IMAP protocols), FTP servers, chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client-side software.

Network Scans performed using Acunetix Online Vulnerability Scanner (OVS) can detect the Heartbleed Bug in web servers and other services too.

heart bleed

Click to enlarge

Acunetix Online will also provide detailed information as to which services are affected by the Heartbleed Bug. In the case of the screenshot above, Acunetix Online has detected that an FTP server running on an installation of Ubuntu 12.04 LTS (listening on TCP port 21) is vulnerable to the Heart bleed Bug.

Additionally, Acunetix Online provides details on how to fix the vulnerability, together with detailed information about the vulnerability.

Ian Muscat

Ian Muscat used to be a technical resource and speaker for Acunetix. More recently, his work centers around cloud security and phishing simulation.