“Heartbleed Attack” - How to Create a Custom VM Scan to Detect if your Hosts are Vulnerable

Document created by Bernie Weidel Employee on Apr 9, 2014Last modified by Eric Perraudeau on Apr 17, 2014
Version 19Show Document
  • View in full screen mode

Update:  Qualys has now released the Heartbleed Reporting Capability within the QualysGuard Certificates Dashboard (in VM) so that organizations can move efficiently through the patching and certificate cleanup process. This requires the addition of 2 QIDs to your VM scanning process namely 38116 and 86002. We have updated the instructions below to include these 2 QIDs.

 

NEW - Heartbleed Remediation Report Instructions

https://community.qualys.com/blogs/qualys-tech/2014/04/15/heartbleed-certificate-report

 

 

 

Original: To fully support Heartbleed Scanning & Remediation workflows please follow the below instructions to create a Dynamic Search List for required detections, a Static Search List for required informational items, and apply both search lists to a Scan Option Profile. This will allow you launch targeted scans across your environment to confirm if you may be vulnerable to CVE-2014-0160.

 

Create a Dymanic Search List (for required detections)

  1. Go to Scans > Search Lists > New > Dynamic List
  2. On the General Information tab of the Search List  window, Add in a Title
  3. Go to List Criteria, scroll down and in the CVE  ID field type CVE-2014-0160
  4. Click Save to complete the Search List

 

Create a Static Search List (for required informational items)

  1. Go to Scans > Search Lists > New > Static List
  2. On the General Information tab of the Search List  window, Add in a Title
  3. Go to QIDs, click the Manual button
  4. Copy in the following QIDs: 38116, 86002 and click OK
  5. Click Save to complete the Search List

 

Create an Authenticated Scan Option Profile, with Custom Search List Applied

  1. Go to Scans > Option Profile > New > Option Profile
  2. On the Option Profile Title tab of the window, Add in a Title
  3. Go to the Scan tab, scroll down to Vulnerability  Detection and select Custom
  4. On the right click Add Lists
  5. Searchtype in the title of the Search List you just created, and click Search
  6. Check the box  to the left of the Search List Title, and click OK to add that  Search List to your Option Profile
  7. Repeat Step 4 - Step 6 to add in the 2nd Search List
  8. Scroll down to Authentication and check the types of Authentication Records you would like to leverage for your scan.
  9. Scroll down to the bottom of the page and click Save to complete the Scan Option Profile

 

*please note that "Basic Host Information Checks" must be enabled in your Scan Option Profile when using a Search List for Heartbleed. It is not required when using Complete Vulnerability Detection, since Complete includes all detections by default.

 

You can now launch a customized Authenticated Scan across your environment which looks only for the Heartbleed vulnerability. This scan should run much faster than a typical scan since it’s only looking for these specific vulnerabilities. Please note that Authenticated Scans typically run from an Internal Scanner Appliance, and so you may want to exercise caution if leveraging Authenticated Scanning from an External Perspective.

 

Also, please be sure to include all ports which are running SSL services in your Scan Option Profile. You can add additional custom unique ports if necessary, by editing your Option Profile, going to the Scan Tab, checking the Additional box, and entering the Port Number in the space below. Then scroll down and click save.

 

If you need assistance on creating an Authentication Record, please go to Help > Resources > Tips and Techniques > and select the required guide (e.g. Trusted Scanning for Windows).

 

 

Additional Information on Heartbleed

 

If you are a QualysGuard PCI Customer you can just run a standard PCI Scan which already includes all required unauthenticated detections for Heartbleed by default.

 

Heartbleed Remediation Report Instructions:

https://community.qualys.com/blogs/qualys-tech/2014/04/15/heartbleed-certificate-report

 

High Level overview of Heartbleed:

https://community.qualys.com/blogs/qualys-tech/2014/04/09/heartbleed-detection-update

 

SSL Labs, which includes Heartbleed test:

https://www.ssllabs.com/index.html

 

An additional way to identify if you may have hosts which are vulnerable to Heartbleed is available without the need to run additional scans. If you navigate to Assets, then choose the Applications Tab, then do a search for “OpenSSL” without picking an Asset Group, it should provide a list of which hosts are running OpenSSL, and the version. Users that run authenticated scans could simply download to .csv and have their list of hosts that need to be addressed, all without re-scanning.

Attachments

    Outcomes