How to find OpenSSL 1.1 instances

On September 11th, the venerable OpenSSL 1.1.1 reached its end of life date. 
That means that it will no longer be receiving publicly-available security fixes.
Users without a third-party extended support contract will no longer receive security fixes or updates.

With this end-of-life announcement, no versions of OpenSSL prior to 3.0.0 are publicly supported.

What is OpenSSL?

OpenSSL is a library that implements a large variety of security functionality, including the Transport Layer Security (TLS) cryptographic protocol that underlies most secure protocols on the Internet like HTTPS.
It also provides the cryptographic functionality needed to compute secure hashes, validate certificates, and perform various other critical operations involving cryptography.

(The early versions of TLS were known as the Secure Sockets Layer, hence “SSL” in the name.)

OpenSSL is extremely widely deployed, and is built into or included by default in a large number of operating systems and distributions.
It is present in countless embedded and mobile devices, and is used by the majority of websites on the Internet to secure their traffic.

Despite (or because of) its popularity, numerous vulnerabilities have been discovered in OpenSSL over the years.
Perhaps most famously, the Heartbleed vulnerability, disclosed in 2014, allowed for sensitive memory disclosure.

Are updates available?

OpenSSL 3.0.0 is available and publicly supported until 2026, while OpenSSL 3.1.0 is available and publicly supported until 2025.
A migration guide has been made available to ease upgrades to these new versions.

How do I find older versions of OpenSSL with runZero?

Detecting OpenSSL can be difficult, since it is a library used by countless other software products.
However, runZero’s advanced scanning and fingerprinting is often able to detect the OpenSSL version used by analyzing the telltale features of cryptographic exchanges.

To find services running on your network that use OpenSSL 1.1.1 or earlier, you can use the following query in the runZero asset inventory:

	tls.stack:"openssl=1.1"

Results from the above query should be triaged to determine if they require patching or vendor intervention.

As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.

IT and security teams rely on an array of cybersecurity tools to manage their network assets. However, these tools often fall short of providing a comprehensive and detailed asset inventory. Consequently, as an organization’s attack surface evolves, the risk of undiscovered or unmanaged assets increases, heightening the potential for network infiltration. 

The 2023 State of Cyber Assets Report uncovered a remarkable 133% year-over-year growth in cyber assets for organizations, surging from an average of 165,000 in 2022 to 393,419 in 2023. This rapid increase in assets resulted in a staggering 589% rise in security vulnerabilities or unresolved findings, accentuating the snowball effect caused by more than doubling the number of assets.

As organizations incorporate an ever-growing number of devices, their attack surface inevitably expands. Thus, gaining a comprehensive understanding of the status of each connected asset becomes crucial.

Each article linked below highlights the limitations of various types of cybersecurity tools for asset management, contrasting them with runZero—an all-encompassing cyber asset management solution that surpasses them all by comparison.

Inefficient cyber asset management tools

1. Endpoint Detection and Response (EDR) agents
   

   EDR works well for endpoint protection but not asset inventory. When incident responders find assets that are compromised but can’t find them in the asset inventory, many teams realize that they went down the wrong path.

2. Spreadsheets
   

   Microsoft Excel and Google Sheets can be an easy first step to track asset data for an IT environment, but they fail entirely as an efficient cyber asset management solution. Spreadsheets require manual data collection resulting in inconsistent attributes, outdated information, lack of detail and incomplete inventory.

3. Vulnerability scanners
   

   Some try to build an asset inventory using vulnerability scanners. Beyond a lack of detail, vulnerability scanners sometimes simply get it wrong; crashing devices, providing a backward-looking view, finding phantom assets, among other concerns. Leading vulnerability scanners simply do not provide a full, accurate, current asset inventory in everyday practice.

4. Configuration Management Database (CMBD)
   

   CMDBs are designed to track data relating to managed IT assets, such as routers, switches, or servers. However, according to Gartner, only 25% of organizations achieve meaningful value with their CMDBs. Beyond incompleteness, data inaccuracy is also a major concern. If you are relying on your CMDB to be a source of truth, you need to be able to trust the information in it. The data in a CMDB will only be as good as its sources.

5. Network Access Control (NAC)
   

   IT and security teams often depend on data from NAC’s and associated network aggregation tools for asset inventory. However, they are designed to control access to the network, an entirely different task from building a comprehensive inventory of devices on the network. If a compromised asset cannot be found in the inventory, it indicates that NACs are suboptimal for asset discovery; a fundamental component of cyber asset management.

6. Free network scannersMost free network scanners don’t scale easily out of the box, often requiring custom databases and scripts to make them suitable for continuous monitoring and collecting inventory from multiple segments or sites.

Why effective cyber asset management matters

In the ever-changing digital landscape of an organization, prioritizing cyber asset management is essential for ensuring the resilience and continuity of operations, as well as safeguarding the reputation and trust of the organization, its stakeholders and the data with which it governs.

It’s foundational to cybersecurity

You simply need to know about the assets on your network before you can manage them. Before effective asset management can take place, it is crucial to have a comprehensive understanding of the assets on your network. By accurately identifying, tracking, and protecting critical assets, organizations can proactively defend against cyber threats, minimize vulnerabilities, and ensure the confidentiality, integrity, and availability of sensitive information.

Preparation is key

IBM’s Cost of a Data Breach Report 2023 shares that the global average cost of a data breach in 2023 was USD 4.45 million, a 15% increase over 3 years.

By integrating a comprehensive asset inventory into business continuity planning, organizations can effectively identify and prioritize the protection of vital assets crucial for maintaining operations during disasters or disruptions. This proactive strategy enhances the organization’s resilience during times of crisis.

It’s required by regulations and insurance

Various industries, including healthcare, energy, financial services, and government, are all subject to specific regulatory or insurance requirements related to asset management and data protection. A comprehensive asset inventory helps organizations ensure compliance. It enables them to demonstrate their efforts in safeguarding sensitive information and critical infrastructure, thereby avoiding legal penalties and reputational damage.

Take the SolarWinds supply chain attack in 2020, for example. This sophisticated attack involved hackers compromising the software supply chain of SolarWinds, a prominent IT management software provider. The attackers injected malicious code into SolarWinds’ Orion platform updates, which were then distributed to thousands of the company’s customers, major corporations, the Department of Defense, the Department of State, and the Department of Homeland Security to name just a few.

Not only did SolarWinds report upwards of $3.5 million in expenses related to incident investigation and remediation, they were subject to numerous lawsuits, domestic and foreign. Including an investigation into the possible breach of the European Union’s General Data Protection Regulation and other data protection and privacy regulations.

It’s the bedrock of business operations

On the financial aspect, maintaining an asset inventory empowers organizations to monitor their IT investments and infrastructure effectively. Comprehensive knowledge of all assets enables teams to make informed decisions regarding upgrades or replacements for outdated assets, prioritize patching and updates, and avoid unnecessary expenses on redundant or non-essential devices.

Presidio, a global digital services and solutions found immediate success with runZero, using it to onboard clients to their managed service programs. With runZero, they were able to eliminate spreadsheets, thereby reducing the amount of time spent manually collecting client data. Instead, they can focus on delivering outcomes for their clients.

runZero: a complete cyber asset management solution

runZero is a cyber asset management solution that includes CAASM functionality. It combines integrations with EDR and other sources with a proprietary network scanner that is fast and safe even on fragile IoT and OT networks.

runZero scales up to millions of devices, and it’s easy to try. The free 21-day trial even downgrades to a free version for personal use or organizations with less than 256 devices.

The OT (Operational Technology) sector faces significant challenges when it comes to network scanning. OT systems frequently utilize proprietary protocols that may not be compatible with legacy scanners. Consequently, this incompatibility significantly hinders the effective scanning and information gathering from OT devices. As a result, the asset inventory obtained is often incomplete or inaccurate, posing a major security risk. 

Fortunately, runZero avoids aggressive scan tactics, which could destabilize certain IT and OT devices. With runZero, organizations of all types can safely create comprehensive and detailed asset inventories without any disruptions.

How does runZero safely scan OT environments?

runZero employs an innovative incremental fingerprinting approach specifically designed to identify and handle fragile devices effectively. When a fragile device is detected, the method is automatically adjusted to ensure safe scanning. Unlike other scanners that may utilize security probes, runZero’s proprietary scan technology solely utilizes well-formed IP packets. This approach eliminates the risk of disrupting critical operations or causing downtime.

Thanks to its unique and reliable method, runZero has garnered a large and satisfied customer base in various industries including manufacturing, energy, and healthcare. These customers confidently conduct regular scans in their OT environments without encountering any issues.

For a more in-depth understanding of runZero’s approach to OT environments, we invite you to listen to the two podcasts below, featuring runZero founders HD Moore and Chris Kirsch, respectively.

runZero’s approach to scanning ‘fragile devices’ – HD Moore and Dale Peterson on Unsolicited Response podcast

In this episode HD Moore and Dale Peterson spend the first third of the show talking about Metasploit; early reaction, OT modules, and whether Metasploit is still necessary and useful today.

The conversation then shifts to creating asset inventories in IT and OT environments, a core feature of runZero.

Below is a summary of the main talking points in this podcast:

• Why HD decided to run back into the cybersecurity startup world?
• How it started as a solo shop with HD writing all the code.
• How HD thinks Shodan and runZero are different.
• What technique runZero uses to ‘scan’. A term that many fear in OT.
• The OT reaction to this type of scanning.
• What role uses the runZero product?

runZero adds passive scanning for OT networks – Chris Kirsch on the Risky Business podcast

In this Risky Business News sponsor interview Tom Uren talks to Chris Kirsch about how runZero has evolved from an IT network active scanning product to one that can now discover assets on OT and cloud environments using both active and passive scanning approaches.

Play runZero OT minesweeper and win a prize!

There is still time left to play runZero’s OT Minesweeper!

The top three players will win one of the following prizes:

runZero is safe for OT environments, but legacy scanners are not!

In this game, you are a legacy scanner with 30 seconds (and ten total attempts) to recon the network without getting noticed in the fastest time. Just don’t crash any OT devices!

Play OT Minesweeper!

• Promotion ends: August 11th 2023 at 11:59 pm CST
• Winners will be announced at DEF CON 2023

This week, Eclypsium Research published findings on critical vulnerabilities discovered in AMI MegaRAC baseboard management controller (BMC) firmware. Adding to the portfolio of “BMC&C” vulnerabilities that Eclypsium has been discovering and surfacing since late 2022, these two new vulnerabilities (tracked as CVE-2023-34329 and CVE-2023-34330) can be exploited and chained together to yield unauthenticated remote code execution on vulnerable targets. These vulnerabilities could impact many devices, as MegaRAC BMCs are popular across a number of manufacturers and appear in products from AMD, Asus, Dell EMC, Gigabyte, HPE, Lenovo, Nvidia, and more. 

What is an A MI MegaRAC BMC?

MegaRAC baseboard management controllers (BMCs) provide “lights out” management capabilities for remotely monitoring and managing servers. Manufactured by American Megatrends International (AMI), MegaRAC BMCs include a service processor and network connection that operate separately from the server they are connected to. Modern MegaRAC BMC firmware includes support for the Redfish API.

What is the impact?

These two newly disclosed vulnerabilities involve the Redfish service running on the MegaRAC:

• Authentication Bypass via HTTP Header Spoofing (CVE-2023-34329; CVSS score 9.1 – “critical”)
• Code injection via Dynamic Redfish Extension (CVE-2023-34330; CVSS score 8.2 – “high”)

CVE-2023-34329 can be exploited with specially crafted HTTP headers to trick the Redfish service into believing the request is coming from an interface that does not require authentication, such as USB0. On systems which have the No Auth option enabled, these spoofed headers will allow attackers to access and interact with any Redfish API endpoints.

CVE-2023-34330 can be exploited via an HTTP POST action to execute arbitrary code on the MegaRAC processor. While this code-execution-via-POST was an intentional design choice by AMI, it likely was intended for internal development only. However, it is enabled by default in vulnerable versions of the firmware, making it available to a broader audience.

Chaining exploitation of the two above vulnerabilities together can provide attackers with unauthenticated remote code execution and full control over a vulnerable MegaRAC target. Following successful exploitation, attackers can establish persistence, perform data exfiltration, perform lateral movement in the network, deploy malware, and more. Attackers can also perform a denial of service by forcing the server into a reboot loop or even bricking the system so it will no longer properly function.

Are updates available?

AMI has made patched firmware available in versions SPx_12.4 and SPx_13.2. Admins should update MegaRAC BMCs to the newer firmware as soon as possible.

Eclypsium Research also shared mitigations to help reduce the chance of a successful attack, including:

• Ensuring all remote server management network interfaces are NOT exposed externally and operate on networks dedicated to management traffic only.
• Ensuring access to remote server management network interfaces is restricted to administrative users via ACLs or firewalls per Zero Trust Architecture principles.

Additionally, U.S. government agencies and contractors legally required to comply with CISA’s Binding Operational Directive 23-02 should note required guidance to follow (similar to the aforementioned mitigation steps).

How do I find potentially vulnerable MegaRAC BMCs with runZero?

From the Asset inventory, use the following prebuilt query to locate MegaRAC BMC instances in your network:

hw:megarac

Results from the above query should be triaged to verify if those assets are running updated firmware versions.

As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.