By Antone Gonsalves, CSO | July 24th, 2014
Now that IT departments have fixed the Heartbleed bug in most internet-facing software, security pros have started debating the risk of not patching software buried deep in the data center.
CloudPhysics, which performs storage analytics on virtualized environments within companies, says 57 percent of VMware vCenter v.5.5 servers and 58 percent of VMware ESXi v5.5 hosts remain vulnerable to Heartbleed, even though a patch is available.
The bug does not affect other versions of the VMware products used in running virtualized software and databases.
“VMware posted customer advisories with regards to the OpenSSL security vulnerability in April of this year, outlining all the products potentially impacted at the time, as well as how customers can patch their environments,” the company said in an emailed statement.
The Heartbleed bug sent the IT industry into a patching tizzy when it was discovered in April within an OpenSSL library. The specification is the open-source implementation of the widely used Secure Sockets Layer protocol for encrypting data on IP networks.
Irfan Ahmad, chief technology officer of CloudPhysics, argues that failing to patch the VMware products is risky and companies should make applying the fix a high priority.
Otherwise, a hacker who compromised the laptop of an employee with access to the network where the software was running could exploit the vulnerability and access databases and business applications tied to the VMware products.
“When you’re dealing with infrastructure, people have this false sense of security that because it’s infrastructure it’s hard to get to,” Ahmad said. “But if you can unlock it as an attacker, you get access to everything.”
While the risk in undeniable, IT departments often have to weigh the chances of a hacker getting that deep in the network undiscovered with the disruption to the business of applying a patch to such critical software.
“In my experience, updating and upgrading ESX/ESXi is a job in itself, and often requires downtime and coordination with affected business units,” Mathew Gangwer, security architect for consultancy Rook Security, said.
So, if the ESXi system is on a protected segment of the network, is running critical applications and there is no redundant system to replace it when its taken down, then IT and security pros are likely skipping the patch, Gangwer said.
“It is a decision that IT and security teams are faced with, and could be a driver as to why there is still a high percentage of ESXi hosts still unpatched,” he said.
As time goes on, the threat could rise, if cybercriminals decide that malware exploiting infrastructure software through Heartbleed would be profitable.
Tom Gorup, manager of Rook’s security operations center, said it’s possible a hacker could automate an attack by packaging Heartbleed scripts within an exploit kit.
“We haven’t seen this method of attack yet, but as more and more data comes out showing a lack of internal patching and response, it’s not too far-fetched that we might see someone get creative,” Gorup said.