On the one hand, the total number of vendor-reported vulnerabilities are down so far this year. On the other, 2014 was the year of the Heartbleed, the common name for a vulnerability in the nearly ubiquitous OpenSSL’s encryption implementation library, which IBM Security Systems characterized as “one of the most widespread and impactful security vulnerabilities of all time.”
Heartbleed is a well-known bug in OpenSSL, a popular open-source protocol used extensively on the Internet to implement SSL and TLS encryption. The vulnerability can be exploited to access and read the memory of systems thought to be protected by encryption, including secret cryptography keys, usernames, passwords and even content. The bug became public knowledge on April 7, but is believed to have existed for at least two years before that. By April 8, a proof-of-concept exploit emerged.
While a fix for Heartbleed was prepared and ready for installment by almost immediately, the bug remained a potent one even after it was no longer a zero-day because of the ubiquity of OpenSSL. One-day attacks, IBM explains, can be just as dangerous as zero-day attacks because attackers are racing to exploit a given bug before it’s patch is widely implemented.
Part of the problem, according to the IBM Threat Intelligence Quarterly report, is that organizations not only needed to patch their own systems, but they had to wait for third-party software vendors to find and fix the bug and then test the fix in the products they used but did not control.
IBM says it began seeing attacks targeting the bug on the same day that the exploit PoC emerged. The highest volume of attacks occurred, they say, on April 15 when there were more than 300,000 attacks targeting IBM Managed Security Services (MSS) clients in one day. Attacks slowed down after April 22. However, IBM claims that nearly half of all affected systems remain unpatched and that it sees some 7,000 attacks within MSS each day.
“Organizations that had struggled to maintain a current asset database were left blind to which systems were vulnerable and which systems were critical,” they said.
Conversely, companies that maintained accurate asset databases and incident response plans were able to rapidly deploy patches on vulnerable systems. Not only did they reduce their exposure to Heartbleed, but they will face less risk to similar vulnerabilities moving forward.
IBM has six suggestions for preparing for Internet-wide bugs before they emerge: organizations should keep up with threat intelligence; maintain a current ans accurate asset inventory; have a patching solution that covers the entire infrastructure; implement mitigating controls like firewalls, intrusion prevention systems and endpoint protection; use effective detection so it is clear when networks are under attack; and have a clear, broad and thoroughly tested incident response plan in place.
IBM also claims that the impact of Heartbleed was increased because OpenSSL is an open-source tool.
“Typically, attackers first need to identify the code that has been patched in response to a vulnerability. For open-source projects, this is a straightforward task because they can simply review publicly accessible source-code repositories and source-code check-ins relating to the vulnerability. For closed-source applications, they can use a process called ‘binary diffing’ to find which parts of the binary code have changed, narrowing it down to changed functions and, eventually, the vulnerable code.”
For skilled attackers, locating vulnerable open-source code take minutes as opposed to hours for closed source. Once the code is located, the attacker then has to create an exploit. Unfortunately, that part of the process was already taken care of in the case of Heartbleed.
More broadly, IBM, who’s been tracking vulnerability disclosure since 1997, says the total number of vulnerabilities are down this year–more than 3,900 new security vulnerabilities affecting 926 unique vendors. If that number remains steady, 2014 will be the first year since 2011 in which fewer than 8,000 vulnerabilities are disclosed by vendors.
Similarly, the number of vendors disclosing vulnerabilities has decreased year over year; 1,602 vendors reported bugs in 2013 compared to 926 vendors in 2014. During that time, the number of vulnerabilities disclosed by the largest enterprises remains relatively unchanged, accounting for 34 percent of disclosures in 2013 and 32 percent so far this year.
Specifically, bugs in content management systems (CMS) seem to be among the most reported this year, accounting for nearly 10 percent of all bugs. Of these CMS vulnerabilities, most exist in plug-ins. This is a problem because the plug-ins are often developed by third parties, and these third parties very often consist of and are maintained by one person or a small group who either don’t patch or patch infrequently, IBM says.
Therefore, many plug-ins contain unpatched security vulnerabilities that are incredibly tempting to attackers. The Mayhem Virus is one such example. IBM says it sought to compromise web servers through CMS vulnerabilities and then perform brute-force attacks of weak or default credentials.
“After these web servers are compromised, they can be used to serve malware or carry out large-scale, high-bandwidth distributed-denial-of-service (DDoS) attacks against other sites and targets,” IBM wrote in its report. “For example, WordPress was used in an amplification DDoS attack in March 2014 that affected more than 162,000 sites.”
IBM also notes that the critical vulnerability scoring system (CVSS), in which 67 percent of vulnerabilities are medium-severity and 24 percent are high-severity, needs to be updated.
“The most obvious example of how some CVSS scores do not always represent true risk and impact to an organization is the Heartbleed vulnerability,” they explain. “As mentioned earlier in this report, Heartbleed was disclosed in April 2014, but it had actually existed for two years. This vulnerability received a CVSS base score of 5.0, which falls into the medium-risk level—along with 67 percent of all other vulnerabilities reported during the first half of 2014.”
“However, with the number of products impacted, the time and attention IT teams spent patching systems and responding to customer inquiries, as well as the potential sensitivity of data exposed, the true impact of the Heartbleed vulnerability was greater than the CVSS base score would indicate. This also brings to question what other vulnerabilities fell into the medium-risk category (CVSS base score 4.0 to 6.9) that may have been disregarded by organizations, but that also had potential large-scale impacts similar to Heartbleed.”