Heartbleed OpenSSL Vulnerability Detection – Using HP Universal Discovery & UCMDB

With assistance from Wei, Wei (Xeric, HPSW-R&D-SH) & Yue, Song (Ben, CMS R&D)

and Brian T. Miller (Sr. Product Marketing Manager)

 

Introduction

 

In April 7, 2014, a serious vulnerability in the popular OpenSSL cryptographic software library was announced. Called the Heartbleed bug, the vulnerability allows anyone on the Internet to read the memory of systems protected by the vulnerable versions of the OpenSSL software.

 

Essentially, this compromises the secret keys used to identify service providers and to encrypt internet traffic containing authentication information of users. Attackers can then potentially eavesdrop on internet communications, steal data directly from the service providers and their users and to impersonate services and users.

 

A huge number of enterprise business companies were impacted in this ‘Heartbleed Bug’. With this incident, we see how security in enterprise IT environment is now more and more important than before.

This blog post describes a security solution based on HP Configuration Management System (CMS) and talks about a new way to combine the security solution and CMS technology.

 

 

Problem Statement

 

When it comes to the detection of OpenSSL components, most of the vulnerability scanner software only detects whether devices contains certain version of the OpenSSL components. However, the needed information of what could be impacted related to or associated with the device is completely missing and is not part of the end-to-end view. This is a big omission that prevents the full understanding of the true business/financial impact and risk mitigation.

 

In order to fully understand the impact of the OpenSSL component, it is important not only to discover its existence, but also to graphically demonstrate or provide a map about devices and devices’ relationship, and how they are serving applications and business services.

 

Let’s say that a given database server has an OpenSSL component, all of application servers could also be impacted also, as well as all of users of these applications downstream. What is necessary is to not only provide what an issue is for a given device but also demonstrate what will happen with the related enterprise IT environment.

 

How HP UD and UCMDB can help you detect vulnerable OpenSSL components, and understand their business impact

 

There are four steps involved in this solution –

 

1.      HP Universal Discovery – discovery of data

 

HP Universal Discovery has an industry-leading ability to discover infrastructure, applications and dependencies between them across an IT environment with Agent-based, Agent-less or Hybrid or Passive discovery approaches. This includes the ability to discover resources on a computer system, including, files, hardware, running software, etc.

As part of Universal Discovery’s inventory discovery, all of this discovered information is “wrapped” into a compressed file known as a Scan File. Leveraging this data, Universal Discovery recognizes and normalizes software data. You can find necessary instructions and supporting SAI files for OpenSSL detection on HP Live Network by clicking on the following link – https://hpln.hp.com//node/11331/contentfiles/?dir=19225. The screenshot below shows an example of discovered OpenSSL Instances:

 

Heartbleed figure 1.png

 

Figure 1, Discovered OpenSSL Instances

 

Note that due to the nature of OpenSSL usages in applications, it may not be possible to detect all its occurrences in an IT environment. Refer to the documentation that accompanies the patch for OpenSSL detection on HP Live Network here.

 

2.      Enrichment and Analysis of Discovered Data

 

HP Universal CMDB provides two levels of analysis from the inventory data discovered via Universal Discovery server: File Level and Application Level.

Information is captured in Scan Files which after being downloaded to the Universal Discovery Probes are processed by a component called the XML Enricher. The scan files contain detailed file information for software present on a computer, including size, signature and path. For Windows Operating System, it also has the file version, product version, type for dynamic link library and executable files.

With all of this information now collected, we can check if these files are in the list of security issue report to find out files where a security issue may reside.

These collected objects can also be analyzed for their file information collected by the Universal Discovery inventory scanners for further enrichment. Leveraging data like installed software with details such as publisher, release and version, we can also check in our list of objects if there is a security risk.

From here all of the file and application level issues can be created as Security Issue CI and linked to a Node or Installed Software CI. The screenshot below shows where the list of OpenSSL objects. And the screenshot below that then shows where the OpenSSL vulnerability is associated with installed software.

 

Heartbleed figure 2.png

 

Figure 2, OpenSSL in SAI

 

Heartbleed figure 3.png

 

Figure 3, Enriched OpenSSL Vulnerability

 

3.      Impact Analysis – to identify affected business applications

 

All objects are reported into HP Universal CMDB. In other words, we not only collect the information about IT objects but also create the relationships and the dependency maps for all of these objects in HP Universal CMDB. An IT manager is then able to see an end-to-end map of their enterprise IT environment infrastructure and applications along with the various dependencies between them.

With this comprehensive map or view of our data, we can then run impact analysis leveraging the Security Issue CI. If a software or node contains security issues, we know this device is insecure and at risk, thus having an impact on an application, node or business solution. Because we can provide the relationships between these objects, the owner of the application, node or business solution is able to accurately assess the impact. In the screenshot below we show where an HR System business application has a server with an OpenSSL vulnerability installed within its OpenSSL Toolkit, thus showing an end-to-end view of the risk.

 

Heartbleed figure 4.png

 

Figure 4, Impact Analysis over OpenSSL Vulnerability

 

4.      Taking actions based on the information

 

Now that we can demonstrate the impact of an application to its owner, notifications can be sent out to address the vulnerability. Tickets can be created in HP Service Manager or the asset can be marked as not stable within HP Asset Manager since HP Universal CMDB/Discovery integrates out-of-the-box with both these applications, in addition to many other IT applications.

 

Summary

 

With this comprehensive four-step solution, users of UCMDB/Universal Discovery are able to quickly and dependably identify if a server/software is using the vulnerable OpenSSL component, as well as demonstrate how related business applications and solutions may be impacted via an end-to-to-end impact analysis view.

 

We have shown that by leveraging the functionality in HP Universal Discovery and HP Universal CMDB products, a user can collect the needed information to analyze the risks of OpenSSL vulnerabilities and map them out in a way that is easily viewable in a service map showing affected instances.

 

Comprehensive Impact Analysis is an out-of-the-box functionality in HP Universal CMDB.

 

Supporting Files and Documentation

The SAI library patch and accompanying usage documentation for detecting the Heartbleed OpenSSL vulnerability can  be downloaded from HP Live Network’s Universal Discovery community by clicking on the following link – https://hpln.hp.com//node/11331/contentfiles/?dir=19225

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Karan Chhina is the Product Manager for HP Universal Discovery and has worked with discovery & dependency mapping and configuration manageme...
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.