[BreachExchange] Two Year Anniversary for Heartbleed: Still Many Vulnerable Devices

[Audrey McNeil]

https://www.riskbasedsecurity.com/2016/04/two-year-anniversary-for-heartbleed-still-many-vulnerable-devices/

Yesterday was the two year anniversary for Heartbleed
<http://heartbleed.com/>, the ‘named’ vulnerability that received a huge
amount of attention. While not the first to be named, it started the now
(in)famous trend of researchers naming their vulnerability discoveries to
get attention, and it also lead to a positive change: Vendors and
enterprises started focusing more on vulnerabilities in 3rd party libraries.
Doing a search on Shodan.io <http://shodan.io/>, there are currently
224,858 Internet connected systems still vulnerable to Heartbleed. The top
5 countries are United States, Germany, China, France, and United Kingdom
in that order.

Digging a bit more into the results, many of the affected systems are
actually appliances or devices that either haven’t been patched or do not
even have patches available. Of these, we found a lot of Fortinet
appliances, but also many vulnerable DVR systems from various vendors
including Hikvision, ABUS, Swann, and FLIR Lorex. We also found
vulnerable Polycom SoundPoint IP phones, various access points and routers,
WatchGuard firewalls, Western Digital, Synology, and QNAP storage devices,
digital signage, and printers.

There are several tools available <https://filippo.io/Heartbleed/> to check
if your servers and devices <https://www.ssllabs.com/ssltest/> are still
affected by Heartbleed. Every organization should test to ensure you do not
have sensitive devices spilling too much information to attackers via the
Internet. If you do, make sure to apply the latest firmware updates if any
are available from your vendor. If your vendor still has not released
updates, you should question how serious the vendor is about security.

Tracking vulnerabilities in 3rd party libraries is critical not only to
device vendors, who bundle these in their products, but also to enterprises
using these products to understand when they are vulnerable. It may be a
painful task, but it is important to do.

We continue to invest heavily into our VulnDB solution to assist
organizations that need help monitoring vulnerabilities
<http://www.riskbasedsecurity.com/vulndb/> affecting devices in your
infrastructure, with a significant focus on 3rd-party Libraries.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160408/4c205b4f/attachment-0001.html>