How can Qualys VM detect if SSLv3 is being used in our environment and on what systems?
Thank you,
Bobby Bradshaw
How can Qualys VM detect if SSLv3 is being used in our environment and on what systems?
Thank you,
Bobby Bradshaw
Hi Bobby,
One of the best ways is to create a static search list and report template. I suggest including at least the following QIDs - 86002, 86001, 38596, 38477, 38291, 38116. In the report template make sure to include the QIDs in your filter, include the Text Summary, Vulnerability Details, and Results.
Following the above recommendations as-is did not yield accurate results for me. I had to edit my report template (Filter -> Vulnerability Filter) to include Potential Vulnerabilities and Information Gathered, which resulted in significantly different numbers. Potential vulnerabilities and Information Gathered is not on by default with new report templates.
In addition, could we run an Asset Search for Hosts with QID 38116 Containing "SSLv3 Protocol is Enabled" for similar results? I'll test to find out.
Hi Matthew,
That is correct, by default those options are not enabled. The below response helps you find only those systems with SSLv3 enabled.
For more information about the Poodle vulnerability check out Ivan’s blog post here.
I understand there is a forthcoming QID, but in the meantime there are a few solutions which can find existing instances of SSLv3. This method has the added benefit of not needing to rescan assets to determine if you are vulnerable.
Asset Search Method
The first and perhaps simplest way is to perform an asset search. Simply go to Vulnerability Management > Assets > Asset Search. Consider searching all asset groups. Alternatively, you may want to limit to only assets scanned within 90 days or external hosts. The important thing is to include only assets that have QID 38116 containing the string “SSLv3_PROTOCOL_IS_ENABLED”
From here, you can choose to create a tag (static) or simply list and download the affected systems.
Dynamic Tagging Method
If you have Groovy enabled on your account you can automatically tag assets which are found with SSLv3. If you do not know much about asset tagging, please contact your TAM for more information.
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
return asset.resultsForQid(38116L)?.contains("SSLv3_PROTOCOL_IS_ENABLED");
Several enterprise customers have started looking for ways to identify cases where SSL is present and some form of TLS is not present.
This is a simple reporting use case involving tags.
Since some changes are pending to the way QID 38116 outputs data, multiple string matches are needed in the for the time being to match all TLS. (The format without _ will eventually replace all other forms)
Within the asset management module create a tag called TLS.
The TLS tag should look like this:
//----------------------------
//TLS dynamic tag groovy scriptlet:
//tag if TLS 1.0, 1.1, or 1.2 is enabled
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
return (asset.resultsForQid(38116L)?.contains("TLSv1 PROTOCOL IS ENABLED")|| asset.resultsForQid(38116L)?.contains("TLSv1_PROTOCOL_IS_ENABLED")|| asset.resultsForQid(38116L)?.contains("TLSv1.1 PROTOCOL IS ENABLED")|| asset.resultsForQid(38116L)?.contains("TLSv1.1_PROTOCOL_IS_ENABLED")|| asset.resultsForQid(38116L)?.contains("TLSv1.2_PROTOCOL_IS_ENABLED")|| asset.resultsForQid(38116L)?.contains("TLSv1.2 PROTOCOL IS ENABLED") );
//--------------------------------
don't forget to check the "re-evaluate" if you want your existing VM data to get tagged.
Now create a search list that includes only 38116. Save it as "SSL/TLS Report search list"
Next create a report template.
Report Title: "SSL Servers without TLS Capability".
Findings: Asset tags - Include asset tag "SSLv3" Exclude asset tag "TLS".
Display - uncheck everything except "test summary", "vulnerability details" and "Results"
Filter - custom - select the "SSL/TLS Report Search list"
Status - leave all except fixed checked
State - Uncheck Confirmed vulnerabilities - "Active"
check information gathered - "Active"
Save the report template
run the report
This report will provide a list of all hosts that have SSLv3 enabled that do not currently have any version of TLS active, and show the QID 38116 results.
Hi Matthew,
That is correct, by default those options are not enabled. The below response helps you find only those systems with SSLv3 enabled.
For more information about the Poodle vulnerability check out Ivan’s blog post here.
I understand there is a forthcoming QID, but in the meantime there are a few solutions which can find existing instances of SSLv3. This method has the added benefit of not needing to rescan assets to determine if you are vulnerable.
Asset Search Method
The first and perhaps simplest way is to perform an asset search. Simply go to Vulnerability Management > Assets > Asset Search. Consider searching all asset groups. Alternatively, you may want to limit to only assets scanned within 90 days or external hosts. The important thing is to include only assets that have QID 38116 containing the string “SSLv3_PROTOCOL_IS_ENABLED”
From here, you can choose to create a tag (static) or simply list and download the affected systems.
Dynamic Tagging Method
If you have Groovy enabled on your account you can automatically tag assets which are found with SSLv3. If you do not know much about asset tagging, please contact your TAM for more information.
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
return asset.resultsForQid(38116L)?.contains("SSLv3_PROTOCOL_IS_ENABLED");