46

"OpenSSL 1.01 — the one production version affected — had been shipping since March 12, 2012"

Does this (above) mean that a Windows 2012 R2 server we ordered a month ago, now running HTTPS sites in IIS, is vulnerable to Heartbleed attacks?

I've read a post that suggests checking if your server is vulnerable, by using this site http://filippo.io/Heartbleed/ , but it's probably taking a ton of hits right now, as it's not responding.

jww
  • 97,681
  • 90
  • 411
  • 885
adam
  • 2,930
  • 7
  • 54
  • 89
  • 1
    that'd depend on if microsoft used OpenSSL when building IIS, wouldn't it? Not to say that M$'s own internal ssl code couldn't have similar problems, but just because OpenSSL is vulnerable doesn't mean that ALL ssl servers are now vulnerable.. just the ones built/using the affected openssl versions. – Marc B Apr 08 '14 at 21:43
  • I wish i could respond to your question. Unfortunately I don't have the experience necessary... as I'm not familiar with how IIS is built, how OS's are configured, or how OpenSSL works. Being that is the case, I've still been tasked with figuring out if were vulnerable. Is there any other information I could provide that would clue someone in, as to our vulnerability level? – adam Apr 08 '14 at 21:45
  • this is something you'll have to ask microsoft. but since the openssl license requires products using it to say so, it should be easily discoverable on the M$ website. – Marc B Apr 08 '14 at 21:46
  • @MarcB Thank you, I'll contact MSFT asap! – adam Apr 08 '14 at 21:47
  • @admdrew care to clarify? HTTPS sites run in IIS, and my understanding was that HTTPS runs in SSL. – adam Apr 08 '14 at 21:49
  • 5
    @adam OpenSSL `!=` SSL, it's just an (open-source) implementation of SSL and TLS technologies. As MarcB stated, the OpenSSL license requires it to be named if included in a product. IIS uses an internal implementation of SSL. – admdrew Apr 08 '14 at 21:52
  • 2
    @adam Whoops! Just realized I commented `IIS does not use SSL`. I meant to say it doesn't use OpenSSL. – admdrew Apr 08 '14 at 21:56
  • 2
    This question appears to be off-topic because it is about software versions, administration and patching. Server Fault has quite a few questions on the topic: http://serverfault.com/questions/tagged/heartbleed. – jww Apr 09 '14 at 19:06
  • @jww Probably why it was closed 12 hours ago for being off-topic ;) and, none of those questions are specifically related to IIS / Win 2012 R2 :( – adam Apr 09 '14 at 19:23
  • @adma - yes, but I wanted you (and others) to have the reference into Sever Fault. Also,its *not* clear to me what happens if an IIS extension can exploit an OpenSSL client using client certs ;) I've been waiting for some reading on the subject. – jww Apr 09 '14 at 19:32
  • @adam - By the way, Microsoft does not use OpenSSL. They have something called `Schannel`. See [Secure Channel](http://msdn.microsoft.com/en-us/library/windows/desktop/aa380123%28v=vs.85%29.aspx) on the MSDN website. Schannel is the Windows XP curse that *lacks* Server Name Indication (SNI) TLS extension. – jww Apr 09 '14 at 19:35
  • @jww That is great information to have, thank you! – adam Apr 09 '14 at 19:36

2 Answers2

94

IIS is not vulnerable as it does not use the OpenSSL library

Update, quote Troy Hunt:

Not all web servers are dependent on OpenSSL. IIS, for example, uses Microsoft’s SChannel implementation which is not at risk of this bug. Does that mean that sites on IIS are not vulnerable to Heartbleed? For the most part, yes, but don’t get too cocky because OpenSSL may still be present within the server farm.

More info here - http://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html

Update 2:

Microsoft blog post on IIS and Heartbleed: http://blogs.technet.com/b/erezs_iis_blog/archive/2014/04/09/information-about-heartbleed-and-iis.aspx

Tom Hall
  • 4,258
  • 2
  • 23
  • 23
  • Nice. Exactly what I needed. The security hornet nest has been kicked! – craigmoliver Apr 09 '14 at 14:24
  • 5
    +1! This is what I get for commenting and not posting an answer, hehe – admdrew Apr 09 '14 at 14:32
  • Tom and admdrew, is there any official document or source to back this statement up? – Zoomzoom Apr 09 '14 at 19:44
  • @Zoomzoom See updated answer. As Troy mentions, OpenSSL may still be present within your server farm, if for example, you're using any load balancers or content delivery networks that use OpenSSL... – Tom Hall Apr 09 '14 at 23:33
  • There are many other exploits to worry about on the Microsoft platform http://hackarde.blogspot.com/2011/10/how-hack-website-by-iis-exploit.html. The nice thing is Microsoft catches up with fixes and they have all these hackers helping bullet proof their software. – xpagesbeast Apr 10 '14 at 02:18
7

I've just used http://filippo.io/Heartbleed/ to scan a website we host on Win 2008 IIS7 - SSL is being terminated on the windows server directly (no load balancing device with SSL offloading in between) - it's being reported as vulnerable. Similar tests of websites hosted on Win 2012 with IIS8 don't have the same result (does not show as vulnerable).

Edit (added link to MS forum): http://social.technet.microsoft.com/Forums/en-US/93a24775-6f62-4690-8c86-3652b74c1b4f/openssl-vulnerability?forum=Forefrontedgegeneral

Matthew
  • 79
  • 2
  • 4
    The scanner gives many false positives as they say themselves. It's hard to think that the bug in OpenSSL could affect microsoft code in any way (though this doesn't mean that IIS can't have similar issues in some parts of code). – Eugene Mayevski 'Callback Apr 09 '14 at 05:52
  • 2
    I wonder what security hole makes the scanner report a false positive. I'd be curious to know more about this. – adam Apr 09 '14 at 12:44
  • 6
    Test author here, a Yellow result might mean safe, but a consistent, repeated VULNERABLE result is nearly impossible to be a mistake. See http://filippo.io/Heartbleed/faq.html#sure – Filippo Valsorda Apr 09 '14 at 16:06
  • @FiloSottile Congrats on all the publicity with this, your name & test site are on every news post all over the world right now. Let the job offers roll in! :) – adam Apr 09 '14 at 17:40