Tripwire has announced comprehensive detection coverage for Heartbleed (CVE–2014-0160), the OpenSSL vulnerability announced on April 8, 2014, by Codenomicon and Neel Mehta, a security researcher for Google. All Tripwire vulnerability management products, including Tripwire IP360, Tripwire PureCloud and Tripwire SecureScan, provide authenticated and unauthenticated checks for Heartbleed.
“While the response to this vulnerability has initially focused on web servers, it is much more widespread than that,” said Lamar Bailey, director of Tripwire’s Vulnerability and Exposure Research Team (VERT).
“It’s important that information security professionals validate multiple services and operating systems with specific vulnerability checks in order to really understand their exposure to this risk. Simple banner checks and running only authenticated tests are not comprehensive enough, particularly for something this serious.”
OpenSSL is used with a variety of networking products, and many organizations will have more than one vulnerable application or operating system. While web servers are an obvious target, Heartbleed also affects File Transfer Protocol (FTP), Internet Message Access Protocol (IMAP), Post Office Protocol version 3 (POP3), Extensible Messaging and Presence Protocol (XMPP), and Simple Mail Transfer Protocol (SMTP).
Because Heartbleed can affect so many different applications, finding and remediating this critical vulnerability quickly across multiple machines can be a daunting task.
Tripwire SecureScan provides free vulnerability scanning for up to 100 IP addresses and includes comprehensive detection rules that discover Heartbleed in a wide variety of conditions. Tripwire SecureScan contains the same robust vulnerability checks included in Tripwire IP360, a vulnerability management solution used by the largest, most sensitive networks in the world.
Specific Heartbleed-related checks include:
- Remote SSL/TLS vulnerability checks.
- Remote vulnerability checks for SMTP, POP3, XMPP, IMAP and FTP – services that speak plain text and then switch to SSL/TLS.
- Local Windows OpenVPN vulnerability check.
- Local Linux distribution checks for Ubuntu, SUSE, RedHat, CentOS and Oracle Enterprise Linux.
- A recommendation on issuing a new SSL certificate.
“It is rare for a vulnerability to be as extensive and severe as Heartbleed and the industry reaction is telling as to the severity. We will be dealing with the fallout for a long time,” said Tim Erlin, director of IT security and risk strategy for Tripwire.
“We’re pleased to be able to consistently offer both authenticated and unauthenticated detection across a variety of applications and operating systems, from the entirely free Tripwire SecureScan product to the enterprise class vulnerability management in Tripwire IP360.”
Tripwire Enterprise and Tripwire Log Center can also detect Heartbleed using custom rules and policies.
Editor’s Note: The tool Tripwire SecureScan is no longer in use. For more information, please refer to Tripwire IP360 instead.