Solved

Vulnerability CVE-2014-0160 Server 2008 r2 TLS heartbleed

Posted on 2014-09-30
8
387 Views
Last Modified: 2014-10-01
I am getting a heartbleed vulnerability on a server that has IIS7.5 express. This is actually a domain controller. Is this an actual threat or is this a false alert since microsoft doesn't use Openssl?

TLS heartbleed memory disclosure vulnerability
0
Comment
Question by:Larry Kiterling
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40353606
What is stating you have the vulnerability? That's an important bit of information.
0
 

Author Comment

by:Larry Kiterling
ID: 40353614
We are using Saint 8 to do the vulnerability scanning.
0
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40353764
false positive as microsoft doesn't use openssl
0
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

 
LVL 58

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 40353776
A quick search didn't turn anything up on Saint 8, which is concerning.

It may be a false-positive, as suggested. But it may be something to be concerned about.

Specifically, if the tool is an independent service-based scanner, it may be picking up other problems. If you have a reverse proxy or WAF, for example, it may use OpenSSL to scan SSL traffic as part of its proxy duty, even if the final destination is your Microsoft server.

Alternatively, there is a plethora of malware that uses SSL (port 443 is the universal "bypass the firewall" protocol, after all) and quite a bit of it is built on SSL. This could be a subtle indication that the server does indeed have something listening that uses OpenSSL, even if that "something" was not intended.

Or....it could just be a cut-rate scanner (like I said, I could find very little mention of it), and is truly just a false-positive...

Nothing in WIndows or IIS (Express or otherwise) uses OpenSSL...but I wouldn't be too quick to dismiss that specific vulnerability. Considering testing for the exploit usually requires successfully *doing* the exploit, false-positives for heartbleed specifically are rare with most security scans.
0
 

Author Comment

by:Larry Kiterling
ID: 40354649
If it goes through OpenSSL at any point on the windows server, should I be able to find it in the registry or is there TLS heartbleed software/application i can install to test?
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40354688
Regarding the registry, not really. Most compiled packages of OpenSSL for windows that I've seen are Cygwin based and don't register in the registry.

Regarding software, there are vulnerability scanners you can install, sure. Plenty. Like antivirus software, pick the one you are comfortable, but everybody else will have a different opinion.
0
 

Author Comment

by:Larry Kiterling
ID: 40354713
We are currently using Saint vulnerability scanner - but i wanted to see if there was a desktop app to test. AV isn't going to pick up on a heartbleed vulnerability.
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40354719
As I said, there are many. I was using AV as an analogy that there isn't "just one" and that different people will have different opinions on their favorite. From snort to Secunia to....bing is your friend. As are reviews.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We recently had an issue where out of nowhere, end users started indicating that their logins to our terminal server were just showing a "blank screen." After checking the usual suspects -- profiles, shell=explorer.exe in the registry, userinit.exe,…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question