Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Vulnerability CVE-2014-0160 Server 2008 r2 TLS heartbleed

Posted on 2014-09-30
8
Medium Priority
?
518 Views
Last Modified: 2014-10-01
I am getting a heartbleed vulnerability on a server that has IIS7.5 express. This is actually a domain controller. Is this an actual threat or is this a false alert since microsoft doesn't use Openssl?

TLS heartbleed memory disclosure vulnerability
0
Comment
Question by:Larry Kiterling
  • 4
  • 3
8 Comments
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 40353606
What is stating you have the vulnerability? That's an important bit of information.
0
 

Author Comment

by:Larry Kiterling
ID: 40353614
We are using Saint 8 to do the vulnerability scanning.
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 40353764
false positive as microsoft doesn't use openssl
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 60

Accepted Solution

by:
Cliff Galiher earned 2000 total points
ID: 40353776
A quick search didn't turn anything up on Saint 8, which is concerning.

It may be a false-positive, as suggested. But it may be something to be concerned about.

Specifically, if the tool is an independent service-based scanner, it may be picking up other problems. If you have a reverse proxy or WAF, for example, it may use OpenSSL to scan SSL traffic as part of its proxy duty, even if the final destination is your Microsoft server.

Alternatively, there is a plethora of malware that uses SSL (port 443 is the universal "bypass the firewall" protocol, after all) and quite a bit of it is built on SSL. This could be a subtle indication that the server does indeed have something listening that uses OpenSSL, even if that "something" was not intended.

Or....it could just be a cut-rate scanner (like I said, I could find very little mention of it), and is truly just a false-positive...

Nothing in WIndows or IIS (Express or otherwise) uses OpenSSL...but I wouldn't be too quick to dismiss that specific vulnerability. Considering testing for the exploit usually requires successfully *doing* the exploit, false-positives for heartbleed specifically are rare with most security scans.
0
 

Author Comment

by:Larry Kiterling
ID: 40354649
If it goes through OpenSSL at any point on the windows server, should I be able to find it in the registry or is there TLS heartbleed software/application i can install to test?
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 40354688
Regarding the registry, not really. Most compiled packages of OpenSSL for windows that I've seen are Cygwin based and don't register in the registry.

Regarding software, there are vulnerability scanners you can install, sure. Plenty. Like antivirus software, pick the one you are comfortable, but everybody else will have a different opinion.
0
 

Author Comment

by:Larry Kiterling
ID: 40354713
We are currently using Saint vulnerability scanner - but i wanted to see if there was a desktop app to test. AV isn't going to pick up on a heartbleed vulnerability.
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 40354719
As I said, there are many. I was using AV as an analogy that there isn't "just one" and that different people will have different opinions on their favorite. From snort to Secunia to....bing is your friend. As are reviews.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question