?
Solved

Vulnerability CVE-2014-0160 Server 2008 r2 TLS heartbleed

Posted on 2014-09-30
8
Medium Priority
?
444 Views
Last Modified: 2014-10-01
I am getting a heartbleed vulnerability on a server that has IIS7.5 express. This is actually a domain controller. Is this an actual threat or is this a false alert since microsoft doesn't use Openssl?

TLS heartbleed memory disclosure vulnerability
0
Comment
Question by:Larry Kiterling
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 40353606
What is stating you have the vulnerability? That's an important bit of information.
0
 

Author Comment

by:Larry Kiterling
ID: 40353614
We are using Saint 8 to do the vulnerability scanning.
0
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 40353764
false positive as microsoft doesn't use openssl
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
LVL 59

Accepted Solution

by:
Cliff Galiher earned 2000 total points
ID: 40353776
A quick search didn't turn anything up on Saint 8, which is concerning.

It may be a false-positive, as suggested. But it may be something to be concerned about.

Specifically, if the tool is an independent service-based scanner, it may be picking up other problems. If you have a reverse proxy or WAF, for example, it may use OpenSSL to scan SSL traffic as part of its proxy duty, even if the final destination is your Microsoft server.

Alternatively, there is a plethora of malware that uses SSL (port 443 is the universal "bypass the firewall" protocol, after all) and quite a bit of it is built on SSL. This could be a subtle indication that the server does indeed have something listening that uses OpenSSL, even if that "something" was not intended.

Or....it could just be a cut-rate scanner (like I said, I could find very little mention of it), and is truly just a false-positive...

Nothing in WIndows or IIS (Express or otherwise) uses OpenSSL...but I wouldn't be too quick to dismiss that specific vulnerability. Considering testing for the exploit usually requires successfully *doing* the exploit, false-positives for heartbleed specifically are rare with most security scans.
0
 

Author Comment

by:Larry Kiterling
ID: 40354649
If it goes through OpenSSL at any point on the windows server, should I be able to find it in the registry or is there TLS heartbleed software/application i can install to test?
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 40354688
Regarding the registry, not really. Most compiled packages of OpenSSL for windows that I've seen are Cygwin based and don't register in the registry.

Regarding software, there are vulnerability scanners you can install, sure. Plenty. Like antivirus software, pick the one you are comfortable, but everybody else will have a different opinion.
0
 

Author Comment

by:Larry Kiterling
ID: 40354713
We are currently using Saint vulnerability scanner - but i wanted to see if there was a desktop app to test. AV isn't going to pick up on a heartbleed vulnerability.
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 40354719
As I said, there are many. I was using AV as an analogy that there isn't "just one" and that different people will have different opinions on their favorite. From snort to Secunia to....bing is your friend. As are reviews.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question