Official Response from InterSect Alliance regarding the Heartbleed bug and how it affects the Snare product suite.
- Carlos Osorio
SUMMARY
Jul 06, 2015
Background
The Heartbleed Bug is a serious vulnerability in the OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used over networks. It has been designated as CVE-2014-0160, and more information can be found at: http://heartbleed.com/. Only OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable, with all previous versions and the latest 1.0.1g not vulnerable.
Snare Server
The Snare Server is not affected by this vulnerability. All released versions of the Snare Server have used an older version of OpenSSL, with the latest being 0.9.8k-7ubuntu8.15 released in Snare Server v6.3.1. No action needs to be taken if you have a Snare Server within your environment. (This includes legacy versions, such as v5 and below.)
Snare Enterprise Agents/Epilog
Snare Enterprise Agents use OpenSSL as part of the TLS encryption method used for transmitting events securely to the collection server.
The Unix-based Agents that use SSL/TLS (Snare Enterprise Agent for Linux and Snare Enterprise Agent for OSX) use the version of OpenSSL installed on the operating system, and do not come with their own version of OpenSSL. Upgrading your operating system OpenSSL to a patched version will ensure these Agents are not affected by this vulnerability. The other Unix-based Agents (Snare Enterprise Agent for Solaris and Snare Enterprise Epilog for Unix) do not use SSL/TLS, and are not affected.
The Windows-based Agents (Snare Enterprise Agent for Windows, Snare Enterprise Agent for MSSQL, and Snare Enterprise Epilog for Windows) use their own version of OpenSSH, which is version 1.0.1e in the following Agent versions:
· Snare Enterprise Agent for Windows v4.2.2
· Snare Enterprise Agent for MSSQL v1.2.2
· Snare Enterprise Epilog for Windows v1.7.2
All releases of these Agents that contain TLS encryption up to these release versions are affected by this vulnerability however the risk is very low due to the way these Agents use SSL/TLS. There is minimal risk as Snare Enterprise Agents don't run an SSL server, use predefined keys, certificates, or passwords for channel negotiations, however Intersect Alliance is actively working on patching these versions and will release updates to each of these Agents as a matter of the highest priority.
Please upgrade to the following versions of the Snare Enterprise Agents (dated 15th April 2014), to ensure you are not affected by this bug:
· Snare Enterprise Agent for Windows v4.2.3
· Snare Enterprise Agent for MSSQL v1.2.3
· Snare Enterprise Epilog for Windows v1.7.3