The National Security Agency has known about the "Heartbleed" bug for the past two years, and during that time has regularly used it to support its surveillance activities, according to a Bloomberg report published Friday.
Citing two unidentified sources, Bloomberg said the vulnerability, which can be exploited to gain access to sensitive information such as account credentials and the keys that encrypt sensitive website communication, were used to gather critical intelligence.
The Heartbleed bug surfaced earlier this week when the OpenSSL Project issued an update correcting the issue, which impacts hundreds of thousands of Web servers and a wide variety of networking gear. The issue has caused system administrators to scramble to check the critical back-end systems that use the widely used encrypted traffic implementation known as SSL/TLS.
Meanwhile, networking vendors are still developing patches to fix their products. Security advisories from Cisco Systems, Juniper Networks and dozens of other firms identified products that are affected by the flaw.
The level of exposure for Internet-facing devices, such as the widely used Apache Web servers, is much higher than for network devices that are behind a firewall, Mark Maxey, director of the vulnerability and analysis team at Denver-based systems integrator Accuvant, told CRN.
A successful attack against the Heartbleed bug would give an attacker access to a random block of the Web server's memory. If the master key that secures Web traffic flowing to and from the targeted organization is disclosed in the data, the attacker theoretically could conduct a man-in-the-middle attack, decrypting the protected data and gaining access to sensitive information, Maxey said.
"There's a perception that anybody can go out there and take a peek at the code here because it's open source," Maxey said. "This is the kind of serious error many people would have expected to be discovered by now, because this is something everybody uses."
The management interfaces of routers, switches and other equipment that are impacted by the Heartbleed bug are typically not exposed to the Internet, he said.
Intelligence agencies in the U.S. and other countries have long been in the business of finding and retaining vulnerabilities. Security research firm Vupen has been open about finding vulnerabilities and developing exploits for governments to use them for offensive purposes.
The issue was thrust into the spotlight at the RSA conference in February. RSA executive chairman Art Coviello acknowledged his company's close ties with the NSA and called on nation-states to curtail offensive security practices and work on more defensive measures.
"NSA blurs the line between defensive and intel-gathering roles and exploits a position of trust within the security community. That is a problem," Coviello said in his keynote address at RSA.
In an address to the Cloud Security Alliance Summit in February, Richard Clarke, president of Good Harbor Security Risk Management and one of the members of President Barack Obama's surveillance review panel, called for an immediate cessation of the use of cyberweapons and other offensive security practices.
Nation-states need to establish international norms about the use of offensive security tactics for cyberespionage activities, he said. The federal government should immediately disclose vulnerabilities it finds as a matter of public safety, so the appropriate authorities can fix the weaknesses, Clarke said.