The Heartbleed security vulnerability was unquestionably one of the most significant cybersecurity-related discoveries in recent years. OpenSSL was and remains one of the most popular open source solutions in use around the world, and, consequently, Heartbleed posed a serious risk to a huge percentage of all content on the Internet.
In the wake of Heartbleed, serious debates have emerged concerning whether open source solutions are as secure as was previously believed. Many security experts argued that Heartbleed was an isolated incident, one which should not be read as carrying significance for open source's overall cybersecurity capabilities.
However, TechRepublic contributor Frank Ohlhorst recently asserted that Heartbleed was just the beginning, rather than an anomaly, as more vulnerabilities continue to be discovered.
A worrying trend
Ohlhorst noted that the OpenSSL project recently announced the discovery of six more vulnerabilities. These flaws include denial of service, potential remote code executive and information disclosure. As he explained, all of these should be worrying for firms using OpenSSL's cryptographic capabilities to secure corporate IT resources.
Ohlhorst went on to describe in detail two of the most serious vulnerabilities highlighted by OpenSSL. The first, CVE-2014-0195, was described by OpenSSL as "[a] buffer overrun attack [that] can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server." This, Ohlhorst explained, suggests that any organization utilizing DTLS should be wary of such an attack and take proactive steps to shore up its security.
The second vulnerability, CVE-2014-0224, can pose a major problem for firms, but only if both the client and server are running vulnerable versions of OpenSSL – the flaw is irrelevant if the impacted SSL-TLS component is not present in both cases. On the one hand, this limits the impact of the vulnerability in question. However, as Ohlhorst explained, this does not make the flaw meaningless.
"Nonetheless, there are situations where SSL/TLS and OpenSSL are quite common, take for example public WiFi hot spots and open source VPNs," he wrote. "Simply put, there are a whole lot of applications using OpenSSL as evidenced by the impact of Heartbleed."
The writer recommended that firms worried about these issues instruct their users to avoid unencrypted public WiFi and to implement software patches frequently – sound advice for cybersecurity in general. He noted that many OpenSSL vendors are now hurrying to release updates that can counteract these and all other identified flaws.
However, the number and scope of these and other recently highlighted open source issues suggest that businesses may need more proactive measures to ensure the security of their open source efforts.
To this end, organizations should consider embracing high-quality scanning and governance solutions. These resources can have a major impact, greatly improving the overall quality of a company's overall cybersecurity as it seeks to take advantage of open source's flexibility and cost-efficiency.