Using Nexpose to Stop the Bleeding (Scanning for the OpenSSL Heartbleed Vulnerability)

Last updated at Fri, 21 Jul 2017 18:56:45 GMT

By now you have almost certainly heard about the recently disclosed OpenSSL Heartbleed vulnerability (CVE-2014-0160). The April 9th update for Nexpose includes both authenticated and unauthenticated vulnerability checks for Heartbleed.

Scanning your assets with the regular full audit template, or indeed any template that isn't tuned to exclude many ports or vulnerabilities, will automatically pick up this vulnerability. But it is also possible to create a focused template to scan specifically for Heartbleed.

On the Administration page, click on TEMPLATES -> Create (or use the T, C keyboard shortcuts).

In the Scan Template Configuration, remove the Web Spidering and Policies check types and give the site a name and description.

Click Next to go to the Asset Discovery section. Check Send ICMP “pings” and Send TCP packets to ports. Enter any TCP ports that may be running SSL on your network.

Nexpose's default Service Discovery options should be sufficient to cover most situations, but if you have any SSL-enabled services on unusual ports you should add them to the Additional ports section of the Service Discovery section.

To adjust the template so it targets only the checks relevant to Heartbleed, first click on the Vulnerability Checks link at the left. Then click the By Category link under "Selected Checks." Under Disabled click the Remove categories button and select all the categories by clicking the checkbox in the table header. Click Save. At this point no vulnerability checks are enabled, and you have a blank slate to add specific checks to the template.

To add the Heartbleed checks, click the triangle next to By Individual Check and click the Add checks button. Type "cve-2014-0160" for the Search criteria and click Search. Click the checkbox in the header of the vulnerability check table to select all of Nexpose's Heartbleed checks, including authenticated checks. If you only want to run unauthenticated checks, just select the OpenSSL (CVE-2014-0160) checks. Nexpose has two unauthenticated checks: one simply looks at HTTP headers for a vulnerable version of OpenSSL, while the other attempts to trigger the bug and examines the data returned by the server to determine whether it is vulnerable. Authenticated checks are available for a variety of platforms (e.g. Ubuntu, Red Hat, etc.) and are able to check servers directly for installed versions of OpenSSL that are vulnerable. A site must be configured with credentials in order for authenticated checks to work.

Click Save in the search dialog and then again in the Scan Template Configuration.

Now you can set up a site to use this template by either editing an existing site or creating a new one. On the Site Configuration page go to Scan Setup and select the custom template you just created. Click Save.

The site is now set up to scan only for Heartbleed vulnerabilities.