Exactly one year has passed since the CVE-2014-0160 vulnerability (aka Heartbleed) was discovered, explained and solved. The problem was identified and reported by Riku, Antti and Matti (security engineers from Codenomicon) and Neel Mehta from Google Security.

Are you still vulnerable to the CVE-2014-0160?


What is it about and how to fix it

Many experts have taken their time to look into this vulnerability. Heartbleed affects a whole protocol and not just an implementation of it. That’s why organisations are expected to put their efforts into having a good vulnerability assessment and remediation plan in place, rather than applying a patch to solve the problem.

A vast literature was produced about it and an exhaustive website built ad-hoc, from which we read a few extracts:

"This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs)."

As you can read in this description, the problem is identified in the SSL/TLS (TLS version 1.3 is currently in draft mode). When the Heartbeat Extension (RFC6520) for the Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) protocols is attacked, there's the chance for the attacker to intercept data floating back and forth between servers and clients.

"This COULD allow attackers to eavesdrop on communications, steal data directly from the services that might be used to impersonate services and users."

Unfortunately, as many times happens, when it comes to cyber security and vulnerabilities, the bell was ringing but not many organisations heard it. Experts from all over the world have brought proof and drove the attention on the risks that customers would face when interacting with businesses that haven't done their homeworks.

The situation one year later

Venafi recently published a useful report about the status of the Heartbleed vulnerability. Their paper shows a few important points that everyone should take home and treasure. We are talking to security experts (CISOs, IT Managers etc.) of course or anyone who's working in the security department of a company and needs to apply the right solution to this terrible bug. This message should be read also by CEO's, CFO's and CMO's, because company's finances can be affected by this kind of vulnerabilities with consequent damages to their image.

Venafi's report opens with a painful truth:

"As of April 2015, 74% of the Global 2000 with public-facing vulnerable systems are still vulnerable.
That’s only a 2% improvement in 8 months [..]"

Which means that 1,223 out of the 1,642 public-facing organizations present in the Forbes Global 2000 from 2014, are vulnerable to CVE-2014-0160. 74% were on April 2015 against 75% from April 2014. Heartbleed is not a "patch-it" bug that requires experts and skills to be fixed.

Take a look at this link and test your server, you might be vulnerable to CVE-2014-0160.

How does all this affect your PCI Compliance?

Would you complete a purchase or a transaction on a website if you knew that the server hosting it is still vulnerable to the Heartbleed? It takes just a second to a sharp customer to open one of the many free testing apps, insert the URL of your eCommerce website and check if you’re vulnerable, before providing you with their credit card details.

PCI Compliance is all about payments. If your data is not protected you cannot achieve neither maintain PCI DSS Compliance. This is a major problem for organisations that store, process or transmit cardholder data

Following the discovery of such vulnerabilities during 2014 (think also about P.O.O.D.L.E.), the PCI SSC decided to come up with a new version of the security standard (PCI DSS 3.1) earlier than expected. The new version should have been released in 2016, but the threat landscape has changed. The new version will come with a few adjustments, including new rules about encryption of CardHolder Data in transit, which is likely to affect the usage of protocols like SSL.

This is a clear signal from the PCI Council. Invest in Information Security and CardHolder Data Protection, make sure your customers can trust you and use your services freely.

Get your vulnerability assessment and remediation plan up to speed

If you care about the security of your network and the protection of your customers data, you need to come up with a clear action plan and apply it as soon as possible.

heartbleed vanafi_report April 2015

This graph shows how, on average, some countries have reacted to the vulnerability. Even if the level of awareness in Germany, U.S., UK and Netherlands is under the global average (meaning that organisations in these countries did better than the 75% of the total analyzed in the Venafi's report), we should ask ourselves: "how many organizations are still vulnerable and how much data is still exposed?".

There are a few basic steps - suggested in the Venafi’s report - to keep in mind when getting to remediation for the CVE-2014-0160 bug:

  • Know where all keys and certificates are located
  • Generate new keys and certificates
  • Replace new keys and certificates, revoke old ones
  • Validate remediation to ensure new keys and certificates are in place and working

Get started with your remedation plan

The promptness in applying a vulnerability assessment and remediation plan should not be always a reaction to a newly discovered bug. Security is a general approach, a style of life that each organisation should consider to continually protect CardHolder Data, the most valuable asset for a business.

Advantio is a team of trained QSAs. We can help you to achieve and maintain PCI DSS Compliance and help you reduce the security risks that you face every day. Get in touch with us to learn more about our services.

Igor Mancini

Written by Igor Mancini

Marketing Director at Advantio. The articles published in the Advantio Blog have the goal of supporting our mission: making IT Security simple for everyone.

My intention is to discuss IT Security related topics with the eyes of a non technical person, speaking a simple language and trying to show to the readers the benefit of IT Security best practices.