The Heartbleed Open-SSL flaw remains unpatched on nearly 200,000 servers and devices, according to connected devices search engine Shodan.
The company’s Heartbleed Report, released in January, shows 52,000 Apache HTTPD servers are still vulnerable and exposed to the internet, nearly three years after the vulnerability was disclosed and fixes released in April 2014. The number of servers vulnerable to Heartbleed was halved by June 2014.
The report shows that more than one in five of those vulnerable servers (42,032) are located in the United States, with AWS hosting the highest number, 6,375, followed by Verizon (4,328). The country with the next most vulnerable devices is South Korea with 15,380, almost half of them (6,376) belonging to SK Broadband.
“The initial media blizzard for Heartbleed helped secure hundreds of thousands of devices (from 600,000 down to 200,000) but the subsequent follow-up has been lackluster as the problem keeps lingering,” Shodan founder John Matherly told Threatpost. This is despite most affected devices supporting TLSv1.2. “This means they support good encryption, unfortunately their dependencies are old,” he said.
Veracode senior director of security Tim Jarrett told Threatpost the number of remaining servers highlight the complications that “forgotten servers” on public cloud services like AWS can bring.
“What used to require a sysadmin and a capital expenditure can now be done with a few lines of code. And we know that both real and virtual servers are easy to forget about, particularly when created outside of normal IT processes. So it’s unsurprising that some of these ‘forgotten servers’ are unpatched and dangerous,” Jarrett said.
This article first appeared on The WHIR.