How to Report on Systems That Have SSLv3 Enabled

Document created by Leif Kremkow Employee on Oct 16, 2014Last modified by Leif Kremkow Employee on Oct 22, 2014
Version 10Show Document
  • View in full screen mode

Update3: Qualys have now integrated a POODLE filter into the Certificate Dashboard (similar to the HeartBleed filter) that will help organizations look at their exposure to POODLE is a more ergonomic fashion. This does, however, require customers to have accepted the "New data security model" to enable the Certificate Dashboard. See step 5 was added to show this new feature. [Oct. 21st, 2014]

 

Update2: The SSL related findings, that include underscores in the Results, such as "SSLv3_PROTOCOL_IS_ENABLED" are due to faulty behavior of the scanner. This was fixed by Qualys in Scanner Version 7.9.34-1. Step 3a was edited to clarify this. [Oct. 20th, 2014]

 

Update1: Qualys have now released a signature (QID:38603) specifically for the POODLE vulnerability (see SSLv3 and POODLE attacks - Update). This post was updated to include running queries against the vulnerability itself and not just the presence of SSLv3. [Oct. 17th, 2014]

 

 

Introduction

 

Following the recent announcement that SSL version 3 has problems ("SSL 3 is dead …") and a quick confirmation that QualysGuard Vulnerability Management can help (here), this how-to will walk you through the steps to generate a report that identifies all the systems that are impacted, as defined by SSLv3 being available.

 

Prerequisites: i) you need to have scanned, or be able to scan, your perimeter with QualysGuard Vulnerability Management, ii) you will need access to the QualysGuard Vulnerability Management web user interface to generate reports.

 

 

Step 1: Login to QualysGuard; Go to Asset Search;

 

go to Asset Search.png

 

Step 2: Report on All, or part of your perimeter

 

You can create a quick report that will consider all of your perimeter. For this, use the wildcard Asset Group "All", which is all the systems that are in your subscription.

search scope All.png

Alternatively, you can focus on a specific perimeter, or set of perimeters. To make the report easier to read, enable "Include asset group titles in results" (warning: for large perimeters this can significantly increase the time needed to produce a report).

 

search scope Partial.png

Now that you have defined what part of your perimeter to report on, you must define the selection criteria.

 

You may either look for the presence of SSLv3 (Step 3a) or look for the POODLE vulnerability (Step 3b). Looking for SSLv3 might be useful if you only occasionally scan and want to leverage existing scan results in your account. Whereas looking for POODLE (Step 3b) might yield more accurate results, provided you have run scans since Qualys published the signature (October 17th, 2014).

 

Step 3a: Focus on SSL information

 

Whilst disabling SSLv3 entirely is perhaps not the best solution for everyone (see the original research This POODLE Bites: Exploiting The SSL 3.0 Fallback), it is a quick and effective solution, and can be conveniently correlated with the problem. There is a caveat though: this will not show us if the server forbids renegotiation.

 

Filter your scan results using the Asset Search by looking for:

  • the occurrence of QID:38116, "SSL Server Information Retrieval" and;
  • which contains the text "SSLv3 PROTOCOL IS ENABLED" (without underscores) to show us that SSLv3 is available.

Search Criteria no underscores.png

 

There may be systems in your subscription, that are currently no longer responsive or are not being scanned, for which old SSLv3 related findings are still available. In case you are interested in seeing these systems that had SSLv3 enabled, for which there is no recent scan data available, run a query using the following criteria:

  • the occurrence of QID:38116, "SSL Server Information Retrieval" and;
  • which contains the text "SSLv3_PROTOCOL_IS_ENABLED" (with underscores) to show us that SSLv3 is available.

Search Criteria.png

 

 

Step 3b: Focus on POODLE vulnerability

 

Whereas Step 3a focused on the availability of SSLv3, taking advantage of existing scan results, it lacked accuracy since it could not check if downgrading was possible. Use this approach to report on the presence of the vulnerability itself. However, it does require you to have run scans since October 17th, when the new signature was published.

 

Filter your scan results using the Asset Search by looking for:

  • the occurrence of QID:38603, "SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE)".

Search Poodle.png

 

Step 4: Show the results …

 

Launch the production of the report with "Search". Should nothing happen in your browser once you have pressed that button, please check your web browser's settings, as it may be blocking pop-ups.

 

This would be a typical report, opening in a new window, showing which machines are vulnerable.

Asset Search Report.png

 

 

Step 5: Alternatively, use the Certificate Dashboard.

 

Instead of using the Asset Search, use Qualys' Certificate Dashboard to report on systems that have the POODLE vulnerability in a more ergonomic fashion.

Certificate Dashboard.png

This feature will, however, only be available if the "New data security model" was enabled.

Attachments

    Outcomes