Many servers still appear to be vulnerable to Heartbleed bug

A scan of all ipv4 addresses using the port scanner masscan found 318,000 systems susceptible to the Heartbleed bug in OpenSSL. Shortly after the vulnerability came to light, 615,000 systems were still vulnerable.

The results of researcher Robert Graham, the developer of the efficient masscan port scanner, may indicate that the number of vulnerable servers has decreased, but that cannot be said with certainty. During the port scan, which focused only on https port 443, Graham found 22 million servers supporting ssl; in the previous port scan there were 28 million.

Firewalls may have blocked Graham’s attempts to test servers for the Heartbleed bug, or he may have been experiencing congestion at his own ISP. In any case, it is certain that many servers are still vulnerable to the Heartbleed bug.

Remarkably, Graham found 1.5 million systems that had the heartbeat extension enabled, in which the vulnerability is present. A day after the bug was discovered, he discovered only a million systems with the heartbeat extension enabled. Graham thinks many sysadmins disabled heartbeat on their server until a fix was available.

The Heartbleed bug came to light a month ago. The bug allows malicious parties to send malicious requests to an OpenSSL server, after which it sends back part of the internal memory in response. In theory, this means that private keys, unencrypted passwords and other sensitive information are on the street.