We can all agree that the Heartbleed vulnerability is epic, not just for server side data leakage but due to client side attack vectors as well (yes, a Metasploit module is coming) … But I consider this vulnerability an InfoSec community success story that bridged the gap between engineers and management.

Never in Internet history has a vulnerability been marketed so flawlessly. A hard hitting name, effective logo, and informative website that clearly communicates to both business and technical minds.

So when a manager asks an OPs team to do X you can point to Y and say “Sorry, I am busy patching” the urgency was understood.

If we look over the timeline the evolution of this saga is even more impressive, when the internet moves, it moves fast!

Heartbleed Timeline

  • T-1 Week Major service providers are given a heads up and patch (Cloudflare, Facebook, Akamai, etc)
  • April 8th News breaks early morning; actual OpenSSL bug announcement ~17:30 on the 7th April.
  • T+2h Snort signature to detect vulnerable OpenSSL version available
  • T+3h By lunch time PoC code available on Github test vulnerability status
  • T+4hTop 1000 Alexia ranked sites and vulnerability status released by former LulzSec member Mustafa Al-Bassam
  • T+5h Mid afternoon PoC code to pull session cookie for use in session hijacking
  • T+8h Evening time and significant uptake of patches, pretty much every OPs team aware and rolling out patches.
  • 9th April #heartbleed trending on Twitter, most discussed news item in IT news media

Colour me impressed, from bug release to majority of major public websites patched over a single day.

Now if only the same could be done with vendor appliances, think of how many of your appliances use vulnerable versions of OpenSSL.

Speaking of appliances it has been confirmed that HP ArcSight products are NOT vulnerable.

In appliances that run RHEL or CentOS 6.5 (Logger 5.5 only) HP distribute OpenSSL 1.0.1e which is vulnerable, and thus would come up in scans, but the library is not used by their software and, therefore, the system is not vulnerable, work is being done to move to a non vulnerable library.

In all HP ArcSight software products version 0.9.8.r of the OpenSSL library is used, which is not vulnerable. If more vulnerabilities are marketed and communicated in this slick fashion in the future, we may live in a slightly less vulnerable world.

Some may remember a long lost CVE aka “The last big one” but the masses’ will not, the gap needs to be bridged to encourage patching, and I feel this approach has nailed it, everyone loves good branding. So until the next major 2014 bug hits (insert epic futuristic bug name here ) patch your things, revoke and reissue your certificates, then change all your passwords.