Quick reference links before we dive in:

Following up on our Heartbleed War Room webcast follow up on Friday, here are the remaining responses from the webcast...

Nexpose:

  • The OpenSSL (CVE-2014-0160) Nexpose check is it an SSL version check or is it testing devices as vulnerable?

    • From Nexpose 5.9.3 on our unauthenticated/remote coverage has been provided by a very reliable direct test of the vulnerable condition.  Nexpose 5.9.2 also included both a banner version check, but this was removed in Nexpose 5.9.3 as it was redundant and less reliable.
  • Is there a specific report that I can run on Nexpose to verify if my servers are vulnerable?

    • Our latest blog post /2014/04/10/using-nexpose-to- stop-the-bleeding-scanning-for-cve-2014-0160 highlights how to configure Nexpose to scan for Heartbleed. Any vulnerability report type would include the results after scanning this way. “Normal” scanning with a full audit or general-purpose scan template including vulnerability checks WILL include the heart bleed coverage.
    • A dynamic asset group based on “Vulnerability Title” contains "CVE-2014-0160” will identify all assets discovered vulnerable.
  • I've seen discrepancies between Nexpose and other scanners in detecting Heartbleed. Are you addressing this?

    • We too have heard reports of discrepancies in coverage; we are all tuning and updating for edge cases. At this time (2014-04-14 - Nexpose 5.9.4) we believe we have addressed the vast majority of known false negative cases and have very high confidence in our coverage.
  • The Nexpose check identified some of our Windows servers as vulnerable. Are any Windows systems vulnerable? Or is this an error?

    • Windows IIS is not vulnerable. Identified hosts may be running a vulnerable version of OpenSSL on Windows.  From Nexpose 5.9.3 forward, the direct condition test explicitly excludes servers detected as IIS.
  • I am concerned that scans will not find ALL instances of OpenSSL against a given target- e.g. if the server has FTP AND WWW will a scanner detect all instance of vulnerable items? (This question probably applies to appliances for VPN, firewalls, etc.)

    • This is a classic scanning challenge. Looking beyond scan configuration, SSL will normally appear number of standard ports and scans may not be exhaustive. If your environment runs multiple services on servers, it may be wise to have an admin to take a look when locating a vulnerable version of OpenSSL.  We support detection of SSL/TLS wrapping of any services we otherwise detect.  We also support STARTTLS negotiation in many plain text initiated platforms (FTP, IMAP, POP, etc).
  • I use both Nexpose Enterprise and Metasploit Pro. As a part of my vulnerability management process, will I be able to detect all my assets which are prone to SSL 'Heartbleed' vulnerability? In addition, is there a Metasploit exploit where I can run an exploit verification scan?

    • See above.
  • Can the Nexpose unauthenticated test tool detect any instance of unsafe OpenSSL/Library on an exposed server? Want to make sure if we have a website running OpenSSL that is NOT vulnerable, but a vendor admin page or FTPS app that is will it detect both?

    • Again, see above.
  • Red Hat has issued a patch for RHEL 6.5 (1.0.1e-16). Metasploit is unable to exploit this, but Nexpose is still reporting this version of OpenSSL as being vulnerable. Do you know why the disparity?

    • The RHEL disparity should be addressed in Nexpose 5.9.3 and later.
    • We haven't had any problem reports with the Metasploit module.
  • Do need to test every workstation? Also, can we use Nexpose to scan for open SSL 1.01g?

    • That is highly dependent on the environment. Nexpose can report the presence of the vulnerability and enumerate patches in a number of different ways. If you are running authenticated checks you can get a complete package listing from supported Linux platforms.
  • Can you run a scan in Nexpose to scan for only this vulnerability? If so, how do you do this?

  • Is authentication required for my Nexpose scans to detect this?

    • No, we have unauthenticated coverage in addition to authenticated.
  • Does the scan from Nexpose need to be a credentialed scan?

    • See above.
  • Hey I am a Nexpose Customer I was able to do a Template Scan that would only find the CVE-2014-0160 exploit.

  • What is the vulnerability named in Nexpose, is it OpenSSL SSL_get_shared_ciphers() buffer overflow (CVE-2006-3738)

    • The remote is OpenSSL (CVE-2014-0160)
    • The package checks shipping at this time are:
      • Amazon Linux AMI: OpenSSL Security Update - Information Disclosure Vulnerability (ALAS-2014-320) (CVE-2014-0160)
      • CESA-2014:0376: OpenSSL security update
      • DSA-2896-1 OpenSSL -- security update
      • ELSA-2014-0376 Important: Oracle Linux 6 OpenSSL security update
      • RHSA-2014:0376: OpenSSL security update
      • RHSA-2014:0378: rhev-hypervisor6 security update
      • SUSE Linux Security Advisory: SUSE-SU-2014:0492-1
      • USN-2165-1: OpenSSL vulnerabilities

Metasploit

  • I use both Nexpose Enterprise and Metasploit Pro. As a part of my vulnerability management process, will I be able to detect all my assets exposed to the 'Heartbleed' vulnerability? In addition, is there a Metasploit exploit where I can run an exploit verification scan?
  • What is the name of the module in Metasploit pro to exploit this vulnerability?
  • Is the exploit also available in Metasploit Pro?
    • The server-side module is available in Metasploit Pro, Community, and Express version 4.9.1 and later.
    • The client-side module will ship in a later update. It was available Friday (4/11) in development versions of the Metasploit Framework, and is called "OpenSSL Heartbeat (Heartbleed) Client Memory Exposure" and is referenced here: http://www.rapid7.com/db/modules/auxiliary/server/openssl_heartbeat_client_memory
  • msfupdate does not appear to be downloading the new Heartbleed module. I use the free version of Metasploit.
    • The server-side module is available in Metasploit Pro, Community, and Express version 4.9.1 and later.
  • Just curious, if I can test with Metasploit, why would someone redirect me to some of these free websites to test??
    • There are many methods of testing exposure. We believe that more testing is better than less.
  • Moving forward can you offer insight on a strategy to prevent future updates to affected versions?
    • Sorry, we didn't follow or understand this question. Please feel free to clarify this one in the comments.
  • Why is the Metasploit module not available within Pro? It can be difficult to explain to leadership that a product purchased does not have capability to detect this, but the free version does.
    • When modules land in the development environment for the Metasploit Framework, they often see some additional tweaking after landing. This is especially the case for quickly written modules like the ones we have today. Metasploit Pro users get the benefit of both internal QA and daily (hourly) usage from the development community to ensure the quality of the modules that ultimately land in Metasploit Pro.