Solved

Vulnerability CVE-2014-0160 Server 2008 r2 TLS heartbleed

Posted on 2014-09-30
8
345 Views
Last Modified: 2014-10-01
I am getting a heartbleed vulnerability on a server that has IIS7.5 express. This is actually a domain controller. Is this an actual threat or is this a false alert since microsoft doesn't use Openssl?

TLS heartbleed memory disclosure vulnerability
0
Comment
Question by:Larry Kiterling
  • 4
  • 3
8 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 40353606
What is stating you have the vulnerability? That's an important bit of information.
0
 

Author Comment

by:Larry Kiterling
ID: 40353614
We are using Saint 8 to do the vulnerability scanning.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40353764
false positive as microsoft doesn't use openssl
0
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 40353776
A quick search didn't turn anything up on Saint 8, which is concerning.

It may be a false-positive, as suggested. But it may be something to be concerned about.

Specifically, if the tool is an independent service-based scanner, it may be picking up other problems. If you have a reverse proxy or WAF, for example, it may use OpenSSL to scan SSL traffic as part of its proxy duty, even if the final destination is your Microsoft server.

Alternatively, there is a plethora of malware that uses SSL (port 443 is the universal "bypass the firewall" protocol, after all) and quite a bit of it is built on SSL. This could be a subtle indication that the server does indeed have something listening that uses OpenSSL, even if that "something" was not intended.

Or....it could just be a cut-rate scanner (like I said, I could find very little mention of it), and is truly just a false-positive...

Nothing in WIndows or IIS (Express or otherwise) uses OpenSSL...but I wouldn't be too quick to dismiss that specific vulnerability. Considering testing for the exploit usually requires successfully *doing* the exploit, false-positives for heartbleed specifically are rare with most security scans.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:Larry Kiterling
ID: 40354649
If it goes through OpenSSL at any point on the windows server, should I be able to find it in the registry or is there TLS heartbleed software/application i can install to test?
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 40354688
Regarding the registry, not really. Most compiled packages of OpenSSL for windows that I've seen are Cygwin based and don't register in the registry.

Regarding software, there are vulnerability scanners you can install, sure. Plenty. Like antivirus software, pick the one you are comfortable, but everybody else will have a different opinion.
0
 

Author Comment

by:Larry Kiterling
ID: 40354713
We are currently using Saint vulnerability scanner - but i wanted to see if there was a desktop app to test. AV isn't going to pick up on a heartbleed vulnerability.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 40354719
As I said, there are many. I was using AV as an analogy that there isn't "just one" and that different people will have different opinions on their favorite. From snort to Secunia to....bing is your friend. As are reviews.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Suggested Solutions

Normally after a failure of Domain Controller, when promoting new DC the DC is renamed, we will discuss the options in Dcpromo to re-create the DC with the same name. Scenario: You are a small IT shop with two Domain Controllers (Domain Contr…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now