How to Detect the Heartbleed Vulnerability with AlienVault USM
-
Upload
alienvault -
Category
Technology
-
view
693 -
download
1
description
Transcript of How to Detect the Heartbleed Vulnerability with AlienVault USM
LIVE PRODUCT DEMOSpecial Session: How to Detect the HeartBleed Vulnerability using AlienVault USM
A Brief OverviewWHAT IS THE HEARTBLEED BUG?
Specifically, A bug in the heartbeat mechanism within OpenSSL
Attackers could potentially use leaked cryptographic keys to decrypt secured SSL sessions
Sensitive information such as cryptographic keys used to secure SSL sessions may be disclosed
IT IS A VULNERABILITY IN OPENSSL
DISCLOSED INFORMATION CAN LEAD TO ADDITIONAL ATTACKS
CAN BE USED TO ILLICIT INFORMATION LEAKAGE/DISCLOSURE
WHY IS THE HEARTBLEED BUG SIGNIFICANT?
Specifically, applications such as web servers, mobile application servers, etc. that make the Internet what it is today.
Cisco has advised that their Nexus 1000v and 4000 series switches are vulnerable
That includes mail servers, proxy servers, load balancers and lots more.
OPENSSL PROVIDES CRYPTOGRAPHIC SERVICES TO LOTS OF NETWORKED APPLICATIONS
NETWORK INFRASTRUCTURE DEVICES MAY BE VULNERABLE AS WELL
ANY APPLICATION USING OPENSSL FOR CRYPTOGRAPHIC SERVICES MAY BE VULNERABLE
WHAT IS THE IMPACT IF EXPLOITED?
vulnerable system’s memory in 64 kilobyte chunks
completely circumvent the security services provided by OpenSSL
user passwords to data being transmitted by the applications relying on OpenSSL
AN UNAUTHENTICATED, REMOTE ATTACKER CAN RETRIEVE CONTENTS OF A
WITH THE RIGHT SET OF CIRCUMSTANCES AND A BIT OF EFFORT AN ATTACKER CAN
DISCLOSED/LEAKED INFORMATION CAN RANGE FROM CRYPTOGRAPHIC KEYS TO
HOW DOES THE ATTACK WORK?
explains it quite well actually
xkcd.com/1354/
THIS COMIC FROM XKCD.COM
CREDIT:
Vulnerability and attack detection
HOW IT CAN BE DETECTED
The Heartbleed bug can be detected through remote vulnerability scanning – CVE ID: CVE-2014-0160
Correlation can be used to differentiate between attack attempts and attacks that are successful.
An attacker’s request and a vulnerable server’s response can be detected by monitoring the network. Note that vulnerable applications will not log attempts to exploit this vulnerability. Network intrusion detection is the only effective method for detecting this type of attack.
USE A VULNERABILITY SCANNER TO FIND VULNERABLE SYSTEMS
USE CORRELATION TO IDENTIFY SUCCESSFUL ATTACKS
USE A NETWORK INTRUSION DETECTION SYSTEM TO MONITOR NETWORKS
HOW DO YOU FIX IT?
www.openssl.org/source/
USE VULNERABILITY SCANNING TO IDENTIFY VULNERABLE SYSTEMS AND APPLY THE PATCH
SOME VENDORS, NETWORK DEVICE VENDORS IN PARTICULAR MAY NEED TO PUBLISH THEIR OWN UPDATES/PATCHES
OPENSSL HAS RELEASED A PATCH THAT IS AVAILABLE HERE:
NOW FOR SOME Q&A…
Test Drive AlienVault USMDownload a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo Site
http
://www.alienvault.com/live-demo-site
Questions? [email protected]