April 2014 saw the worldwide public disclosure of the Heartbleed vulnerability (a difficult to detect and easy to exploit information disclosure issue) within the open source OpenSSL encryption library. Almost 3 years on, approximately 200,000 servers/devices remain vulnerable.
Shodan, the search engine that can detect vulnerable devices connected to the internet released these findings in their Heartbleed report during the weekend of January 21. The report highlights approximately 52,000 Apache web servers with version numbers 2.2.2 and 2.2.15 remain critically vulnerable. Amazon Web Services and Verizon Wireless were the largest hosts of these vulnerable systems with the United States being the location for the most vulnerable internet service providers (ISPs). Another significant finding of the report is that many organizations/businesses are unware their physical and virtual servers are vulnerable.
How Can I Protect Myself from This Vulnerability?
If you or someone in your organisation uses physical or virtual servers, please ensure these servers have all vendor security updates installed, specifically updates from OpenSSL. Unsupported web servers (physical or virtual) or software (which uses the OpenSSL libraries) should be upgraded/replaced. Moreover, OpenSSL versions prior to 1.0.2 are no longer supported; please upgrade to version 1.0.2 or 1.1.0.
Due to the increasing numbers of devices connected to the internet, organizations and individuals need to be aware if their devices or software are vulnerable. For example, earlier this month vulnerable MongoDB, Elastic Search, Hadoop and CouchDB servers. Any software that connects to the internet especially VPN (Virtual Private Network) (defined) software may be vulnerable to the Heartbleed vulnerability.
What is Shodan?
Shodan was originally created as a project in 2003 by a computer programmer John Matherly who launched the Shodan website in 2009. It is named after the enemy AI of the System Shock series of video games.
It is a search engine like Google, Bing and Yahoo but it isn’t searching for websites that best match the text that we enter. Instead it indexes and categorizes all devices connected to the internet. It does this by searching for and interpreting their banner e.g. Apache 2.4.3, OpenSSL/1.0.1c PHP/5.4.7
It is usually webservers that use such banners but many devices (e.g. FTP and mail servers) use banners to describe the services they offer, what operating system they are using e.g. Red Hat/Linux and the ports they have open e.g. 80 for HTTP, 443 for HTTPS, 21 for FTP, 25 for SMTP, 23 for Telnet, 22 for SSH etc. For example, we use ports 80 and 443 everyday as well port 25 for email.
What can it be used for?
- Shodan can be used to detect the types of devices on your network and what types of ports (entry points to and from those devices) they are using. This is good to know since you can then better secure them against possible attack. Shodan can also be used to look for and access any device that is poorly configured namely that it allows access to it’s configuration/admin page from the Internet.
- You can also use it to check if there are any unknown devices on your devices that arrived through social engineering e.g. a new router/access point in a conference room or shadow IT (devices installed by staff without the knowledge of the IT team).