Heartbleed – Cleanup Continues – Web Servers Targeted
Top Tips for Dealing with a Heartbleed Exploit Cleanup
In my first blog post on the Heartbleed issue I looked at ways of getting an inventory of OpenSSL servers and included some information on the way LANGuardian can detect Heartbleed exploit attempts.
Most network administrators have patched their most important web servers but the problem has not gone away and this will take months if not years to get resolved. The problem for many is that they don’t realise that many devices and applications have OpenSSL built in so it may not be obvious when you are looking at your network inventory.
Tests have confirmed that the Heartbleed bug can expose a server’s private key. Most of the articles published in recent days have focused on high profile attacks like the breach of Canadian tax data. Managers of smaller networks may think that they would not be a target for an attack. However, our own research shows that networks of all shapes and sizes are been targeted.
The following example is taken from a mid-sized public sector network with around 3000 employees. The IP address is registered in China and it is targeting a webserver.
So, what are the lessons?
- Get an inventory of OpenSSL servers on your network and apply patches if needed.
- Make sure you have visibility of all traffic going in and out of your network. Don’t rely on TCP port numbers. SSL connections can be established on any port, not just TCP 443.
- Remember that any sized network is a target. If you are responsible for the management of one it will be a target.
If you don’t have visibility on your network at the moment you can download a free trial of LANGuardian today. It can be installed on a physical or virtual system and requires no agents or client software. All you need to do is set up a SPAN or mirror port.
LANGuardian is equipped with a complete SSL decoder which is used as part of its content based application recognition module (CBAR). CBAR requires access to SSL certificate metadata and other SSL negotiation information to make classifications of encrypted flows. LANGuardian now uses this custom protocol decoder to detect servers with the heartbeat extension in operation and also any Heartbleed exploit attempts. The SSL decoder works in tandem with TCP stream reassembly so that it is difficult to evade by splitting exploits over multiple packets. These two factors mean that LANGuardians Heartbleed detection is very accurate when compared, for example, with a signature that simply looks for specific byte-patterns in the traffic. You can use this feature for:
- TLS/SSL server detection. Use this feature to create an inventory of all SSL/TLS servers on your network. This does not mean that the servers are vulnerable, but gives you an inventory to start checking patch levels.
- Show what client systems are attempting to compromise a server using the Heartbleed vulnerability. It does not mean that the exploit has been successful, just that the client is attempting to exploit the server. The client system should be inspected.
- Show what servers which have the OpenSSL Heartbeat extension enabled. This does not mean that the heartbeat extension is being used in communication, just that it is enabled on the server and so the patch level of the server should be checked.