OpenSSL Heartbleed Vulnerability Follow-up

May 13, 2014

It has been two weeks since the OpenSSL Heartbleed vulnerability was first released to the public. Dell SonicWALL firewall customers with an active Intrusion Prevention service received protection in the form of a signature update on April 8th, right after the vulnerability details came to public attention. A SonicAlert was released by the following day. Below are the latest IPS signatures found on the Dell SonicWALL firewalls that protect against the Heartbleed vulnerability:

  • 3616 OpenSSL Heartbleed Information Disclosure 1
  • 3638 OpenSSL Heartbleed Information Disclosure 2
  • 3652 OpenSSL Heartbleed Information Disclosure 3
  • 3653 OpenSSL Heartbleed Information Disclosure 4
  • 3661 OpenSSL Heartbleed Information Disclosure 5
  • 3663 OpenSSL Heartbleed Information Disclosure 6
  • 3744 OpenVPN Heartbleed Information Disclosure
  • 3734 Suspicious OpenSSL Heartbleed Traffic 1
  • 3735 Suspicious OpenSSL Heartbleed Traffic 2

Additionally, our research team has released protection against malware that claims to be a Heartbleed testing tool, please refer to SonicAlert. The malware and the associated Trojan are covered with the following malware signatures:

  • GAV: Zacom.A (Trojan)
  • GAV: Zacom.A_2 (Trojan)
  • IPS: 3686 Zacom heartbleed malware activity 1
  • IPS: 3688 Zacom heartbleed malware activity 2

For more security minded customers who want more comprehensive coverage, we have also issued IPS signatures that detect the SSL Heartbeat traffic:

  • 3706 OpenSSL Heartbeat 1

According to our sensors globally, we found that 58% of servers with SSL/TLS enabled are seeing OpenSSL Heartbeat traffic, with 33% of all observed hits being Heartbleed attack attempts. This count may include the hits recorded as IT managers test their servers for the Heartbleed vulnerability. The following chart demonstrates the number of servers behind Dell SonicWALL firewalls that are attacked on a daily basis.

Despite the declining number of servers being attacked in the above chart, the total number of attacks being performed daily continues to increase, as demonstrated by the next graph. This means that the density of the attacks is increasing, with the same servers getting hit more frequently.

Besides the telemetry data, some of the first evidence of hackers using Heartbleed has begun to surface this week, such as British parenting website Mumsnet with 1.5 million accounts potentially being compromised, Canadian Revenue Agency website leaking as many as 900 Canadian taxpayers info. Please refer to BBC News. Both facts indicate the vulnerability is still active and dangerous.

The following chart shows the country distribution with most targeted SSL servers.