Qualys Blog

www.qualys.com
wkandek

Heartbleed Remediation Report Now Available in QualysGuard

Update2: It seems the focus for many organizations has shifted from patching the OpenSSL code to finding and replacing SSL certificates that might have been exposed.  We will host a webinar on Thursday, April 24, 2014 at 10am PDT entitled "A Post-Mortem on Heartbleed – What Worked and What Didn’t" in which Jonathan Trull, the CISO for the State of Colorado, and I will cover the technical aspects of the bug, testing for its presence, how to exploit (with live examples) and some recovery strategies, both in theory and practice.

Update: We have added another Filter to this report. We now have "Heartbleed – All" and "Heartbleed – Active" that help you in your reporting around this vulnerability.

Original: The Heartbleed OpenSSL bug (CVE-20-14-0160) caught everybody by surprise last week, and the scope and impact of the issue can’t be overstated.  Mitigating the impact of Heartbleed is a daunting process since it has been in the wild since March 2012 and because attacks that use it leave no footprints.

When Heartbleed was discovered, Qualys added detection capabilities to QualysGuard within 24 hours. We then added new Heartbleed reporting to the Certificates Dashboard in QualysGuard that helps organizations move efficiently through the patching and certificate cleanup process. Now, you can use the following selections in the Filters menu to quickly identify which certificates might have been affected by Heartbleed:

  • Heartbleed – All: lists all certificates that have been used on systems that were (or still are) vulnerable to Heartbleed.
  • Heartbleed – Active: lists all certificates currently in use on systems that are still vulnerable to Heartbleed.

In addition, administrators can search for certificates that were issued any time before the systems were patched to determine which certificates are "at risk" and should be revoked or replaced.

Our ability to deliver detection and reporting to our entire QualysGuard customer so quickly after the discovery of Heartbleed demonstrates the flexibility of our cloud-based platform.  We will continue to iterate and improve our capabilities to make the recovery from Heartbleed as painless as possible for our customers.

Heartbleed Remediation Reporting Step-by-Step

  1. Navigate to the Assets section of QualysGuard.

    Screen Shot 2014-04-20 at 6.05.47 PM
    Click to enlarge

  2. Select the Certificates tab, click the Filters dropdown and choose "Heartbleed – All" to see all affected hosts.

    Screen Shot 2014-04-20 at 6.06.56 PM
    Click to enlarge

  3. After you have patched some or all of the affected hosts, click Search and select Fixed to list only remediated hosts that can be issued new certificates.

    Screen Shot 2014-04-20 at 6.07.40 PM
    Click to enlarge

  4. Search for all certificates issued before the patch date to identify certificates that may need to be replaced (in this example 14 April 2014).

    Screen Shot 2014-04-20 at 6.09.40 PM
    Click to enlarge

  5. To share with others, export the data in the format of your choice.

    Screen Shot 2014-04-20 at 6.10.34 PM
    Click to enlarge

8 responses to “Heartbleed Remediation Report Now Available in QualysGuard”

    • Sridhar – there is a "Select Asset Group" drop down at the top right corner that might meet your needs.

      I’d like the ability to:

      • Select multiple asset groups;
      • Use tags;
      • Specify which time frame (scan dates) to include; and
      • Identify which asset groups the hosts are in.
      • We had a number of Entrust Intermediate certs show up as vulnerable, however, it doesn’t appear they’re at risk.

        1. Bruce Morton  Post authorApril 10, 2014 at 11:47 amThe Entrust certification authority private keys are protected in a certified HSM. The private keys are not exposed to any software outside of the HSM, and of course are not exposed to any server using OpenSSL. The Entrust intermediate CAs do not need to be sunset. Customers should look at their own environments and see if they are using a vulnerable version of OpenSSL and renew their SSL certificates if required.

        https://www.entrust.com/openssl-heartbleed-bug/

      • Matthew, The TrustForce software from Venafi will allow you to do all those things and can also replace the certificates on the affected systems.

  1. Hi,

    I filter the data in "Heartbleed-Active", but while i click into 1 object, the vulnerability detail is empty. How can I understand this situation of the certificate report?  the site is in vulnerable or not?

    Thanks.

Leave a Reply