|
In the software development life-cycle, new software packages are deployed while older ones are phased out as they reach
their "End of Life" and are no longer supported. Despite this lack of support, some of these End-of-Life (EoL) software
distributions are still popular and are being used. However, running EoL software poses massive security risks as older
software may contain vulnerabilities for which security updates are no longer available. In this paper we investigate
the prevalence of EoL software in Internet-facing devices. To our surprise, we find that more than 6 million out of the
44.3 million hosts we consider in our study are running at least one EoL version of very popular software, including web
server software, software libraries, databases, and scripting languages.
In addition, NIST identifies some of these EoL versions as highly vulnerable and highly or critically severe (severity score higher than 7 and 9 respectively). To identify which networks are at greater risk, we investigate regions and networks with a high concentration of hosts running EoL software. Our work aims to raise awareness within both the research and operational communities about the current state of End-of-Life (EoL) software and the potential risks associated with its continued large-scale use. |