The significance of CVE-2014-0160, aka Heartbleed, an attack against the transport layer security protocol (TLS/DTLS) heartbeat extension, is well documented. What could use more discussion is what it really takes to find all vulnerable systems in today's networks.
- The vulnerability exists in the OpenSSL library, widely used by Linux operating systems, embedded systems and most applications implementing SSL encryption
- While you can patch the vulnerability in your operating system, the vulnerable library can be built into the application, as it is with OpenVPN and other applications which must also be patched
- The vulnerability can present itself in any service which implements SSL, allowing it to exist in services other than HTTPS (port 443), including email, instant messenger, and many other common (and uncommon) services and applications
- Once you’ve patched the vulnerability on all of the systems and services you’ve discovered, it can easily be re-introduced if someone installs a vulnerable application or embedded system that has not yet been patched (or an older version where the vulnerability exists).
Nessus® enables you to safely detect the Heartbleed vulnerability with a comprehensive set of remote and local checks.
Remote Checking Plugin 73412 (Nessus Plugins) – This plugin checks for the vulnerability and displays a sample of data that can be retrieved from the remote host. Tenable research teams have written this check to be thorough, accurate, and safe.
Using local patch checking, Nessus can log into the remote host and determine if the operating system patches have been applied:
|Credentialed OS checks:|
|Amazon Linux AMI|
|and other platforms including Gentoo, Scientific Linux, Slackware
If you are concerned with your Internet facing systems, particularly your web sites or VPN connections, you may use the same Nessus Heartbleed detection policy wizard to create a schedule for scanning your systems from our remote, cloud-based vulnerability scanner, Nessus® Enterprise Cloud.
Nessus Enterprise Cloud can be used to check for the Heartbleed vulnerability using one or more of the following three settings:
- Quick – limited to searching for ports/services that are known to use OpenSSL;
- Normal – searches for the vulnerability on the Nessus default set of ports; or
- Thorough – performs a comprehensive sweep of all 65K ports and detects use of SSL.
Nessus Enterprise Cloud allows for unlimited scanning of unlimited IP addresses and will help you discover where SSL communications that rely on OpenSSL are entering into your network, and whether they are vulnerable to the heartbeat attack.
For those hard to reach places, Tenable’s Passive Vulnerability Scanner™ (PVS™) can sniff the network and identify hosts vulnerable to the “Heartbleed” attack.
PVS is a powerful tool for finding Heartbleed and other vulnerabilities which may escape some traditional detection methods. By passively monitoring network traffic, PVS detects server and client vulnerabilities, applications, and connections.
As a data source for SecurityCenter Continuous View™, or as an individual subscription installation, PVS provides valuable insight into Heartbleed and other OpenSSL issues. Shown is a sample report displayed in the PVS web interface.
As with all Tenable detections, PVS provides not only the overview, but also the detailed information required to address and resolve discovered vulnerabilities.
To thoroughly identify your exposure to Heartbleed, a complete view of your environment is required; Tenable’s SecurityCenter Continuous View™ provides a complete and comprehensive view of your environment by combining active scanning, passive monitoring, and log analysis.
The SecurityCenter CV™ dashboard shown below provides an up-to-the-minute overview of Heartbleed-vulnerable systems and related information at a glance: