Qualys Blog

www.qualys.com
wkandek

Heartbleed Detection Update

Update: Today, Thursday 4/10/2014 we released a further improvement to QID 42430 "OpenSSL Memory Leak Vulnerability (Heartbleed bug)". We have tuned the remote, unauthenticated probes to improve the detection rate for a number of edge cases, OpenSSL implementations that behaves differently from standard setups. The changes are included in Signature version 2.2.703-5.

4/9/2014: An active, unauthenticated detection is now live on all platforms in the external scanners as of 4/9/2014 – 7:00 PM PST. The detection reports to the same QID as before: 42430 "OpenSSL Memeory Leak Vulnerability (Heartbleed bug)". This detection is vendor independent and detects vulnerable instances of OpenSSL wherever in use, for instance webservers, vpn servers and appliances. The simplest way to scan your vulnerable websites is to limit your scan to this QID. Take a look at our How-to doc that explains how to set up the scan. BTW, the version that implements that detection is in "Scanner version: 7.6.34-1", which you can confirm under Help – About. Scanner Appliances update on a slightly slower schedule. You can verify their version on the Appliance page and trigger a manual update if necessary.

Original: The “heartbleed” vulnerability (CVE-2014-0160) was published on April 7, 2014. The vulnerability affects the ”heartbeat” extension in TLS 1.2 in OpenSSL, and has been present in the V1.0.1 version since its implementation about 2 years ago. A successful exploitation of the vulnerability leads to inadvertent disclosure of memory on the targeted machine, which can contain confidential information such as session-cookies, usernames, passwords and encryption keys. The vulnerability is well documented and researched and a number of proof-of-concepts for its exploitation were published within a day of the release.

Qualys has implemented the following tools to help you detect the vulnerability and track the remediation efforts:

  • on April 8, an active check for the vulnerability through our SSL Labs service. It can be used to test external website in an ad-hoc, interactive manner.
  • on April 8, QID 42430 a check in QualysGuard VM, PCI, and Freescan. The check uses the banner information returned by Apache to determine whether a vulnerable OpenSSL version is in use. It is a potential vulnerability since banner information is often not reliable.
  • on April 9, QIDs 121887, 121888, 121889, 121890, 121891, 195443 (for RedHat, Fedora, Debian, CentOS, OpenSuSe and Ubuntu) that use package information to determine whether the version of OpenSSL installed is vulnerable. These QIDs require authentication. See tips on using these QIDs.

An active detection in QualysGuard for “heartbleed” that requires no authentication, similar to SSL Labs,  is currently in QA and we are working on getting it out to as soon as possible. Stay tuned to this post for updates.

For our production environment on the shared QualysGuard platforms, we have investigated CVE-2014-0160, and determined that the systems that comprise the platforms are not vulnerable.  We used a number of factors including an analysis of OpenSSL versions in use and technical testing for the vulnerability through the QualysGuard Vulnerability Management service, the Qualys SSL Labs Server Test, and other tools that have been made available.

Please comment on how you are using these tools either here or you can contact me via e-mail at: wkandek@qualys.com.

6 responses to “Heartbleed Detection Update”

  1. I’d like to perform the active, unauthnticated scan agains our infrastructure, however the external and internal scanners are still on 7.6.34-1 not 7.6.36-1 (CH SOC).

    I thought it’s available already. Can I somehow trigger/enforce an update?

    Remark: From another thread it seems that 7.6.34-1 is sufficient for active, unauthenticated scan. Pls confirm.

  2. I have tried to use the manual update direction referenced in the article but the update button is greyed out and the console indicates that I am on the latest version, 7.6.34-1.

  3. Support just issued a response:

    From: Qualys, Inc.
    Sent: Thursday, April 10, 2014 9:10 AM
    Subject: Qualys Case#XXXXXX QID 42430 OpenSSLVulnerability

    Hello XXXXXX,
    Thanks so much for contacting Qualys Support.

    The new detection is actually in 7.6.34-1, I believe that was a typo somewhere.

    Best regards,

    XXXXXXXXX
    Technical Team Lead
    Qualys, Inc.
    http://www.qualys.com

  4. The active detection for Heartbleed is actually contained in Scanner Version 7.6.34-1.  Once your appliances are running 7.6.34-1, feel free to scan your environment for QID 42430 to take advantage of the active, un-authenticated detection referred to in the above article.

  5. Has anyone come across any "false positives" for the scans or resulting findings?  My case is I have our Ops team applying 1.0.1g to servers found and rebooting the RedHat servers (just in case) and subsequently the Qualys scan is still showing the servers are showing this vulnerability.

    Also when they run "OpenSSL version" against the server they are showing me that it is showing a 1.0.1g version.

    Thanks in advance!!

Leave a Reply