All Posts

6 posts

Top 10 Vulnerabilities – February 2015

Last week we finished our analysis for the Top 10 most prevalent vulnerabilities for the trailing three months: November and December 2014 and January 2015. We perform this analysis periodically to provide the market an overview of one of the items in our Laws of Vulnerabilities Research: the Prevalence of Vulnerabilities.

You can use the data to enrich your own Vulnerability Management practice. We think it makes sense to take a look at the listed vulnerabilities and see how you compare.

Continue reading …

November Patch Tuesday – Part 2

It has been a week since Microsoft has announced their November bulletins and we have seen quite a bit of movement around the Schannel bulletin MS14-066, which had immediately attracted the attention of the security community.

Continue reading …

Heartbleed Post-Mortem Webinar

As we are getting into the third week of the Heartbleed vulnerability, the focus for most organizations has shifted from patching the OpenSSL code to finding and replacing SSL certificates that might have been exposed. Qualys will host a webinar on Thursday, April 24, 2014 at 10am PDT entitled A Post-Mortem on Heartbleed – What Worked and What Didn’t in which Jonathan Trull, the CISO for the State of Colorado, and I will cover the technical aspects of the bug, testing for its presence, how to exploit (with live examples) and some recovery strategies, both in theory and practice.

Looking forward to seeing you there, you can sign up here.

Heartbleed Remediation Report Now Available in QualysGuard

Update2: It seems the focus for many organizations has shifted from patching the OpenSSL code to finding and replacing SSL certificates that might have been exposed.  We will host a webinar on Thursday, April 24, 2014 at 10am PDT entitled "A Post-Mortem on Heartbleed – What Worked and What Didn’t" in which Jonathan Trull, the CISO for the State of Colorado, and I will cover the technical aspects of the bug, testing for its presence, how to exploit (with live examples) and some recovery strategies, both in theory and practice.

Update: We have added another Filter to this report. We now have "Heartbleed – All" and "Heartbleed – Active" that help you in your reporting around this vulnerability.

Original: The Heartbleed OpenSSL bug (CVE-20-14-0160) caught everybody by surprise last week, and the scope and impact of the issue can’t be overstated.  Mitigating the impact of Heartbleed is a daunting process since it has been in the wild since March 2012 and because attacks that use it leave no footprints.

When Heartbleed was discovered, Qualys added detection capabilities to QualysGuard within 24 hours. We then added new Heartbleed reporting to the Certificates Dashboard in QualysGuard that helps organizations move efficiently through the patching and certificate cleanup process. Now, you can use the following selections in the Filters menu to quickly identify which certificates might have been affected by Heartbleed:

  • Heartbleed – All: lists all certificates that have been used on systems that were (or still are) vulnerable to Heartbleed.
  • Heartbleed – Active: lists all certificates currently in use on systems that are still vulnerable to Heartbleed.

In addition, administrators can search for certificates that were issued any time before the systems were patched to determine which certificates are "at risk" and should be revoked or replaced.

Continue reading …

Heartbleed Detection Update

Update: Today, Thursday 4/10/2014 we released a further improvement to QID 42430 "OpenSSL Memory Leak Vulnerability (Heartbleed bug)". We have tuned the remote, unauthenticated probes to improve the detection rate for a number of edge cases, OpenSSL implementations that behaves differently from standard setups. The changes are included in Signature version 2.2.703-5.

4/9/2014: An active, unauthenticated detection is now live on all platforms in the external scanners as of 4/9/2014 – 7:00 PM PST. The detection reports to the same QID as before: 42430 "OpenSSL Memeory Leak Vulnerability (Heartbleed bug)". This detection is vendor independent and detects vulnerable instances of OpenSSL wherever in use, for instance webservers, vpn servers and appliances. The simplest way to scan your vulnerable websites is to limit your scan to this QID. Take a look at our How-to doc that explains how to set up the scan. BTW, the version that implements that detection is in "Scanner version: 7.6.34-1", which you can confirm under Help – About. Scanner Appliances update on a slightly slower schedule. You can verify their version on the Appliance page and trigger a manual update if necessary.

Original: The “heartbleed” vulnerability (CVE-2014-0160) was published on April 7, 2014. The vulnerability affects the ”heartbeat” extension in TLS 1.2 in OpenSSL, and has been present in the V1.0.1 version since its implementation about 2 years ago. A successful exploitation of the vulnerability leads to inadvertent disclosure of memory on the targeted machine, which can contain confidential information such as session-cookies, usernames, passwords and encryption keys. The vulnerability is well documented and researched and a number of proof-of-concepts for its exploitation were published within a day of the release.

Continue reading …

Patch Tuesday April 2014

Tuesday, April 8, 2014 – today Microsoft came out with the bulletins for April Patch Tuesday.  It is a small release with only four bulletins, MS14-017 to MS14-020, a light patch Tuesday for the second month in a row.

But the Microsoft bulletin is not the most important item this month (even though MS14-017 fixes the current Word 0-day), but rather two other items:  the new HeartBleed bug that impacts OpenSSL, and the arrival of Windows XP end of life.  I will tackle each in turn:

Continue reading …