Tools being used to detect the OpenSSL vulnerability often contain bugs too.
According to research by CNS Security, methods for detecting whether your systems are affected have bugs themselves which is leading to false negative results.
Adrian Hayter, blogger and penetration tester at CNS Security, said: “I was called upon to perform checks against numerous systems during the week, and I noticed that some of the scripts would find a vulnerability whilst others would not. This behaviour often depended on the system in question, and upon reviewing the code behind the scripts, I uncovered a number of bugs.”
He said that there are three main bugs which he found whilst performing tests against various server configurations: TLS Version support; TLS Cipher Suite support; and payload detection. Setting up a server that was vulnerable to Heartbleed, but that was configured to demonstrate the bugs, Hayter said he ran 15 scripts and web-based detection tools at it, and only Hut3 Cardiac Arrest and Qualys SSL Labs detected it.
Among those who failed to detect it, was Rapid7’s Metasploit and Tenable’s Nessus scanner. Rapid7 were unable to comment at the time of writing, while Renaud Deraison, chief research officer and co-founder at Tenable Network Security, said: “The setup outlined in the April 14 blog in CNS Hut3 blog is interesting because it narrows down TLS so much that most web clients would not be able to connect to a server configured that way.
“While our original check failed at negotiating this particular cipher, we’ve since modified it to support more cases like this one. There are many other ways where a check could fail however, for instance a lot of the public proof of concepts only test https, but completely ignore other services using SSL such as SMTP, IMAP or OpenVPN. Our research team has been working around the clock to cover as many of these services as possible since day one, and we’re continuing to investigate other programs using SSL in a non-standard way.”
Hayter said: “On a broader level, these results show that whilst proof of concept scripts are great for demonstrating vulnerabilities, they should not be used as a tool for confirming whether your systems are vulnerable. Authors of these detection tools should take care not to rely too much on proof of concept scripts, as bugs can easily be carried over during development.”
