Update: Today, Thursday 4/10/2014 we released a further improvement to QID 42430 "OpenSSL Memory Leak Vulnerability (Heartbleed bug)". We have tuned the remote, unauthenticated probes to improve the detection rate for a number of edge cases, OpenSSL implementations that behaves differently from standard setups. The changes are included in Signature version 2.2.703-5.
4/9/2014: An active, unauthenticated detection is now live on all platforms in the external scanners as of 4/9/2014 – 7:00 PM PST. The detection reports to the same QID as before: 42430 "OpenSSL Memeory Leak Vulnerability (Heartbleed bug)". This detection is vendor independent and detects vulnerable instances of OpenSSL wherever in use, for instance webservers, vpn servers and appliances. The simplest way to scan your vulnerable websites is to limit your scan to this QID. Take a look at our How-to doc that explains how to set up the scan. BTW, the version that implements that detection is in "Scanner version: 7.6.34-1", which you can confirm under Help – About. Scanner Appliances update on a slightly slower schedule. You can verify their version on the Appliance page and trigger a manual update if necessary.
Original: The “heartbleed” vulnerability (CVE-2014-0160) was published on April 7, 2014. The vulnerability affects the ”heartbeat” extension in TLS 1.2 in OpenSSL, and has been present in the V1.0.1 version since its implementation about 2 years ago. A successful exploitation of the vulnerability leads to inadvertent disclosure of memory on the targeted machine, which can contain confidential information such as session-cookies, usernames, passwords and encryption keys. The vulnerability is well documented and researched and a number of proof-of-concepts for its exploitation were published within a day of the release.
Qualys has implemented the following tools to help you detect the vulnerability and track the remediation efforts:
- on April 8, an active check for the vulnerability through our SSL Labs service. It can be used to test external website in an ad-hoc, interactive manner.
- on April 8, QID 42430 a check in QualysGuard VM, PCI, and Freescan. The check uses the banner information returned by Apache to determine whether a vulnerable OpenSSL version is in use. It is a potential vulnerability since banner information is often not reliable.
- on April 9, QIDs 121887, 121888, 121889, 121890, 121891, 195443 (for RedHat, Fedora, Debian, CentOS, OpenSuSe and Ubuntu) that use package information to determine whether the version of OpenSSL installed is vulnerable. These QIDs require authentication. See tips on using these QIDs.
An active detection in QualysGuard for “heartbleed” that requires no authentication, similar to SSL Labs, is currently in QA and we are working on getting it out to as soon as possible. Stay tuned to this post for updates.
For our production environment on the shared QualysGuard platforms, we have investigated CVE-2014-0160, and determined that the systems that comprise the platforms are not vulnerable. We used a number of factors including an analysis of OpenSSL versions in use and technical testing for the vulnerability through the QualysGuard Vulnerability Management service, the Qualys SSL Labs Server Test, and other tools that have been made available.
Please comment on how you are using these tools either here or you can contact me via e-mail at: firstname.lastname@example.org.