Updated Thursday, April 17, 2014
The ‘Heartbleed’ OpenSSL vulnerability is a uniquely severe vulnerability. A flaw in OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520), when this vulnerability is exploited, it leads to the leak of memory contents from the server to the client and from the client to the server.
This vulnerability exists on a wide range of products and servers, and allows a potential attacker to gain access to any portion of the server’s memory. In particular, this vulnerability allows access to the private encryption keys used by the server, which would allow the potential attacker to decrypt any data sent to/from the server, that is encrypted using the server’s key.
Skybox Security customers can easily identify assets that could be compromised by this vulnerability. One of the core features of Skybox software is the ability to model your network topology and controls. Since Skybox platform holds a data repository of your network devices, you can use Skybox to help secure your network when a critical issue like the OpenSSL exploit is announced.
OpenSSL is a common toolkit that may exists on many different assets. To quickly identify assets that could contain OpenSSL and could be accessed from outside the network, Skybox customers can examine all potential network paths with Access Analyzer.
In the image above we have selected the source as the internet and the destination as any asset with port 443 accessible (the port used by SSL). This will analyze the network topology and controls for any paths available between the internet and devices with this port number.
In this case there is one asset with SSL that is exposed to the internet. Also listed is the route and the access controls that would be traversed. We could repeat this process for any other network source that we might be concerned about; for example, we might want to look at the partner zone for the same type of access.
A data repository analysis (or view) is another way to quickly identify assets that could be impacted. Simply create a new view that will highlight specific products that have been detected by scanners or patch management systems.
The image above shows a new analysis called “Check for Open SSL”. In the parameters section, select “OpenSSL” as the product. This analysis will return information on any hosts that were detected to have OpenSSL during the last scan.
Example results are pictured below. In this case we have grouped the results by SSL version. Since the Heartbleed vulnerability only exists on versions 1.0.1 this network is safe.
Stay on top of the Heartbleed Bug news with the Skybox Vulnerability Center … simply search the Skybox Vulnerability Database for “heartbleed” and you’ll be able to easily follow the updates.