Who's to blame for 'catastrophic' Heartbleed Bug?

German software engineer steps forward to take blame for OpenSSL mistake, but issue goes wider

The Heartbleed Bug, basically a flaw in OpenSSL that would let savvy attackers eavesdrop on Web, e-mail and some VPN communications that use OpenSSL, has sent companies scurrying to patch servers and change digital encryption certificates and users to change their passwords. But who's to blame for this flaw in the open-source protocol that some say also could impact routers and even mobile devices as well?

A German software engineer named Robin Seggelmann of Munster, Germany has reportedly accepted responsibility for inserting what experts are calling a mistake of catastrophic proportions into the open-source protocol OpenSSL used by millions of websites and servers, leaving them open to stealing data and passwords that many think has already been exploited by cyber-criminals and government intelligence agencies.

“Half a million websites are vulnerable, including my own,” wrote security expert Bruce Schneier in his blog, pointing to a tool to test for the Heartbleed Bug vulnerability. He described Heartbleed as a “catastrophic bug” in OpenSSL because it “allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.” It compromises secret keys used to identify service providers and encrypt traffic, he pointed out. “This means anything in memory—SSL private keys, user keys, anything—is vulnerable.”

+More on Network World: The Heartbleed Bug: How to keep your info safe | The worst data breaches of 2014…so far (Q1)+

The Heartbleed Bug was discovered by security analysts from Google and Codenomicon and disclosed by the OpenSSL open-source group on April 7 as an OpenSSL Advisory and a fix prepared by OpenSSL open-source contributors Adam Langley and Bodo Miller. Across the world, companies and vendors have been scrambling to either patch their systems or assure users that their services weren’t using OpenSSL.

Microsoft for example, issued an advisory that “Microsoft Azure Web Sites, Microsoft Azure Pack Web Sites and Microsoft Azure Web Roles do not use OpenSSL to terminate SSL connections. Windows comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability.”

But Microsoft added, “However, if you are using Microsoft Azure’s IaaS to host linux images, then you should make sure that your OpenSSL implementation is not vulnerable.”  

Twitter also said its services weren’t impacted by Heartbleed. However, websites including Yahoo Mail, Yahoo Messenger and others were impacted. As news stories about the Heartbleed Bug filled the news, there was widespread concern and bewilderment in the general public, and it wasn’t uncommon to hear the problem described by people as a computer virus, rather than a software flaw.

Mobile security firm Lookout Security said its main website wasn’t impacted by the Heartbleed Bug but some of its other Internet-facing infrastructure was. Lookout was busy patching systems and swapping out digital certificates. Lookout also believes that not just server but client software also may face Heartbleed vulnerabilities, including Android mobile devices.

So who’s to blame for the Heartbleed Bug?

Seggelmann takes the blame for introducing the flaw into OpenSSL two years ago by mistake when he sought to add new features. An article quotes him as saying, he “missed validating a variable containing a length,” and this oversight, “though trivial,” was a simple error.

Is the mistake with this enormous consequence to the whole of Internet security an indictment of the open-source code-vetting process? Responses to that question are mixed.

“A mistake was made and quickly corrected,” says Dodi Glenn, senior director, security intelligence and research labs, ThreatTrack Security. Software has bugs all the time, he points out. “Given enough time, effort and money, someone can find a vulnerability in nearly every piece of software. After all, humans are the ones who coded it.”

But Glenn expressed hope that “open source technologies should be better funded. Perhaps, if this had more support than it currently does, this vulnerability could have been caught sooner.”

Wayne Jackson, CEO of Sonatype, says the flaw in OpenSSL was introduced in version 1.01.1 in March of 2012. “This is not a failing of any standards body, more likely a simple coding error,” Jackson says. “Among other things, this event highlights the unfortunate reality that nearly all software will be found to be defective over time. The fact that this took two years to surface is not unusual.”

However, he noted the scope of the impact of the Heartbleed Bug is very wide indeed, much more than is being generally reported, he says.

“OpenSSL is embedded in a huge array of technologies -- routers, wifi, hubs, firewalls, control systems,” and much more, he noted. And these are not necessarily easy or often updated. “This issue will be with us for a long, long time,” he adds.

Jackson also says a lesson to be drawn from the Heartbleed Bug is that “we as an industry have dramatically underinvested in software integrity and generally ignored, for a security perspective, the open source building blocks on which the Internet functions. Open source is everywhere. It is the foundation of all modern software applications.”

Have cyber-criminals or government spy agencies been exploiting the Heartbleed Bug to steal data?

Of course, many are wondering if attacks are occurring to exploit the newly-disclosed vulnerabilities associated with Heartbleed Bug, since some honeypots are set up to monitor the Internet and identify live attacks. Many wonder if an intelligence agency, such as the National Security Agency, deliberately inserted the big into OpenSSL, though there is no evidence to that. Experts like Schneier say it’s an important question but probably not the case with Heartbleed.

The civil liberties group Electronic Frontier Foundation said it is worrying that “blackhats and/or intelligence agencies may have had a long period when they knew about the attack and could use it at their leisure.”

Tatu Ylonen, inventor of the SSH protocol and CEO and founder of SSH Communications Security, says about the Heartbleed Bug vulnerability that “an attacker can use it to obtain the encryption keys used by a website, allowing the attacker or spy agency to read all communications. It can practically be used to obtain the server private key used for securing the server and communications to it, essentially breaching the certificates used for protecting the website, which in turn allows decrypting past sessions as well as performing man-in-the-middle attacks (including banking fraud and identity theft) in most cases.”

Ylonen says an estimated 66% of  the world’s websites run software that uses the vulnerable library, though it’s not known what percentage of them use SSL encryption. Not only are the vast majority of the world’s most popular websites and social networking sites impacted by Heartbleed, “thousands of commercial applications ship with the vulnerable OpenSSL libraries and are vulnerable,” he points out.

The bottom line, Ylonen says, is “enterprises and vendors thus need to check whether their software is vulnerable and take appropriate corrective steps urgently.”

Ylonen says it's possible that international intelligence agencies are routinely recording all traffic based on the vulnerability if they haven’t done this already. He adds that the “SSH protocol widely used today for system administration is not affected” by the Heartbleed Bug.

Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com

Copyright © 2014 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022