Last Updated: 2014-04-11 12:16:23 UTC
by Rob VandenBrink (Version: 1)
We're getting reports of client applications that are vulnerable to the heartbleed issue. Just as with server applications, these client applications are dependant on vulnerable versions of OpenSSL.
Another "patch soon" problem, you say? The patch will be installed when the vendor ... oh, wait a minute. Just exactly when will your TV's manufacturer update the web browser on your TV? And when will you be applying that patch? How about your in-laws TV? This vulnerability on the client side has the potential to be much longer-lived than on servers.
This combines the problem of the specific heartbleed vulnerabilty with the problem of embedded devices that may never be updated. Or devices that are updated by vendors for a year or two after release, then abandoned when the new model comes out - home routers and TV sets are great examples of this situation, but so are medical devices.
To add to that list, there is a large contingent of Android phones that have updates maintained by the carrier instead of the manufacturer (google), and do not see frequent updates, or may never see an update. These devices are used daily for almost everything - online banking comes immediately to mind. The combination of a general purpose device and a vulnerability that exposes memory to an attacker (in this case, a malicious or infected server) has the potential for some widespread mayhem, for as long as that device remains in service (years instead of weeks or months)
Other applications that encrypt but we don't often think of as "clients" include traditional database software, cloud services clients, dedicated / custom browsers for online services like entertainment, even device drivers for hardware all need to be assessed. It's also easy to say "client application XX is vulnerable", but that client application might exist on your PC, multiple tablet or phone platforms, TVs, DVRs, excercise equipment, fridges, thermostats - the list grows to include things that are smaller and smaller, that are less and less likely to be updated.
Client applications that are currently reported as vulnerable are:
- MariaDB 5.5.36
- wget 1.15 (leaks memory of earlier connections and own state)
- curl 7.36.0
- git 1.9.1 (tested clone / push, leaks not much)
- nginx 1.4.7 (in proxy mode, leaks memory of previous requests)
- links 2.8 (leaks contents of previous visits!)
(from http://security.stackexchange.com/questions/55119/does-the-heartbleed-vulnerability-affect-clients-as-severely )
If you've got confirmation of other vulnerable client applications, please post the relevant information (with links) in our comment section.