Symantec IT Risk and Compliance Product Group

 View Only

Detect the Heartbleed Vulnerability & Remediate and Harden Your Infrastructure with Control Compliance Suite (CCS) 

Apr 15, 2014 04:30 PM

What is Heartbleed?

By now, you should be very well aware of vulnerability CVE-2014-0160, nicknamed HeartBleed.  Security engineers at Codenomicon and Google discovered a vulnerability last week in the popular OpenSSL cryptographic software library, an open-source implementation of the SSL and TLS protocols. OpenSSL is used by a large majority of organizations to secure the Internet's traffic. "Heartbleed," allows anyone on the Internet to read the memory of the systems using vulnerable versions of OpenSSL software. This may disclose the secret keys, allowing attackers to decrypt and eavesdrop on SSL-encrypted communications and impersonate service providers. In addition, other data in memory may be disclosed, including names and passwords of the users, or other data stored in memory by the service.  OpenSSL versions 1.0.1 through 1.0.1f and 1.0.2-beta are affected. The following operating systems have been distributed with potentially vulnerable OpenSSL versions:

  • Debian Wheezy (stable) (OpenSSL 1.0.1e-2+deb7u4)
  • Ubuntu 12.04.4 LTS (OpenSSEL 1.0.1-4ubuntu5.11)
  • CentOS 6.5 (OpenSSL 1.0.1e-15)
  • Fedora 18 (OpenSSL 1.0.1e-4)
  • OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012)
  • OpenBSD 5.4 (OpenSSL 1.0.1c 10 May 2012)
  • FreeBSD 10.0 (OpenSSL 1.0.1e 11 Feb 2013)
  • NetBSD 5.0.2 (OpenSSL 1.0.1e)
  • OpenSUSE 12.2 (OpenSSL 1.0.1c)

Symantec provided some guidance on steps businesses and consumer should take to address this vulnerability in the Symantec Heartbleed Outbreak page.  We encourage our customers to check specific product support pages, and our Heartbleed outbreak page at for information and the most recent updates.

http://go.symantec.com/outbreak

Are Symantec Control Compliance Suite, Symantec Enterprise Security Manager (ESM) or SRAS (Symantec Risk Automation Suite) affected by the Heartbleed OpenSSL Vulnerability?

We are extremely sensitive to the anxiety felt by customers who rely on our software and services as a core part of their work and personal lives. The table below summarizes how this vulnerability affects the Symantec Control Compliance Suite, Symantec Enterprise Security Manager (ESM) or SRAS (Symantec Risk Automation Suite) products.

Product Name

OpenSSL Version used

Affected by Heartbleed ?

Risk Automation Suite 4.0.8 (SRAS)

OpenSSL 1.0.1

 Agents affected

Risk Automation Suite 4.0.7 (SRAS)

OpenSSL 1.0.0

 Not affected

Control Compliance Suite components (Assessment Manager, Policy Manager, Risk Manager, Standards Manager, Vulnerability Manager)

OpenSSL 0.9.8

OpenSSL 1.0.0.

Not affected

 

Control Compliance Suite Vendor Risk Manager* (VRM)

Does not ship any OpenSSL libraries with VRM.

Not Affected

Control Compliance Suite Virtualization Security Manager (VSM)

Does not ship any OpenSSL libraries with VSM.

Not Affected

Control Compliance Suite content

OpenSSL 0.9.8

 Not affected

Enterprise Security Manager

OpenSSL 0.9.8

OpenSSL 1.0.0

 Not affected

 

 

Symantec Risk Automation Suite (SRAS) 4.0.8, RHEL and SecureRecon agents (Suse, Fedora, and CentOS) are vulnerable. In order for someone to exploit the OpenSSL vulnerability in the agent, they must cause the agent to connect to a malicious server. As the agent does not listen on a specific port the possibilities of compromising it are very low.

CCS Vendor Risk Manager (VRM), does not ship with Open SSL Libraries.  It is possible that a client may optionally include an OpenSSL component when installing Tomcat or generating generating SSL certificates; but this would be at the customer’s discretion as none of our pre-requisites or post installation procedures call for the use of OpenSSL

How can customers utilize Symantec Control Compliance Suite to address “Heartbleed”?

Customers can employ Control Compliance Suite to discover and leverage security best practices and standards for Continuous Monitoring  (such as SCAP 1.2,  SANS Top 20, DHS CDM) to detect assets that are vulnerable to Heartbleed.

CCS Standards Manager

Using the latest version of Control Compliance Suite Standards Manager customers can aggressively perform a network and asset discovery scan, thus allowing them to:

  • Detect authorized vs unauthorized hardware.
  • Conduct a software inventory by collecting data against a sample asset in order to determine if OpenSSL is indeed installed.
  • Perform an evaluation using to detect if an at-risk installation of Open SSL exists on the asset; and scan for vulnerabilities.

CCS Vulnerability Manager

Customers of Control Compliance Suite Vulnerability Manager can run authenticated checks for supported Linux platforms, as well as platform-independent remote checks.  Customers can also test its defenses and assess the impact of Heartbleed in their environments.

The asset discovery and security configuration assessment capabilities of CCS Standards Manager complements the findings and analysis reported by CCS Vulnerability Manager.

CCS Vendor Risk Manager

Customers using CCS Vendor Risk Manager can use the application to identify their most critical third party partners and programmatically reach out to determine which of these partners are vulnerable to Heartbleed, using both surveys and Veracode reports for validation. 

CCS Risk Manager

Customers of CCS Risk Manager will pull information from CCS Standards Manager,  CCS Vulnerability Manager, and CCS Vendor Risk Manager to identity the most business critical assets that are exposed to Heartbleed and make recommendations on how to best prioritize the remediation efforts. Customers can also employ CCS Risk Manager to measure and track its “Heartbleed” response and risk reduction efforts.

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.