Vulnerability CVE-2014-0160 Server 2008 r2 TLS heartbleed

I am getting a heartbleed vulnerability on a server that has IIS7.5 express. This is actually a domain controller. Is this an actual threat or is this a false alert since microsoft doesn't use Openssl?

TLS heartbleed memory disclosure vulnerability
Larry KiterlingAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
What is stating you have the vulnerability? That's an important bit of information.
0
Larry KiterlingAuthor Commented:
We are using Saint 8 to do the vulnerability scanning.
0
David Johnson, CD, MVPOwnerCommented:
false positive as microsoft doesn't use openssl
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Cliff GaliherCommented:
A quick search didn't turn anything up on Saint 8, which is concerning.

It may be a false-positive, as suggested. But it may be something to be concerned about.

Specifically, if the tool is an independent service-based scanner, it may be picking up other problems. If you have a reverse proxy or WAF, for example, it may use OpenSSL to scan SSL traffic as part of its proxy duty, even if the final destination is your Microsoft server.

Alternatively, there is a plethora of malware that uses SSL (port 443 is the universal "bypass the firewall" protocol, after all) and quite a bit of it is built on SSL. This could be a subtle indication that the server does indeed have something listening that uses OpenSSL, even if that "something" was not intended.

Or....it could just be a cut-rate scanner (like I said, I could find very little mention of it), and is truly just a false-positive...

Nothing in WIndows or IIS (Express or otherwise) uses OpenSSL...but I wouldn't be too quick to dismiss that specific vulnerability. Considering testing for the exploit usually requires successfully *doing* the exploit, false-positives for heartbleed specifically are rare with most security scans.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Larry KiterlingAuthor Commented:
If it goes through OpenSSL at any point on the windows server, should I be able to find it in the registry or is there TLS heartbleed software/application i can install to test?
0
Cliff GaliherCommented:
Regarding the registry, not really. Most compiled packages of OpenSSL for windows that I've seen are Cygwin based and don't register in the registry.

Regarding software, there are vulnerability scanners you can install, sure. Plenty. Like antivirus software, pick the one you are comfortable, but everybody else will have a different opinion.
0
Larry KiterlingAuthor Commented:
We are currently using Saint vulnerability scanner - but i wanted to see if there was a desktop app to test. AV isn't going to pick up on a heartbleed vulnerability.
0
Cliff GaliherCommented:
As I said, there are many. I was using AV as an analogy that there isn't "just one" and that different people will have different opinions on their favorite. From snort to Secunia to....bing is your friend. As are reviews.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.