How to find OpenSSL 1.1 instances
How to find OpenSSL 1.1 instances #
On September 11th, the venerable OpenSSL 1.1.1 reached its end of life date. That means that it will no longer be receiving publicly-available security fixes. Users without a third-party extended support contract will no longer receive security fixes or updates.
With this end-of-life announcement, no versions of OpenSSL prior to 3.0.0 are publicly supported.
What is OpenSSL? #
OpenSSL is a library that implements a large variety of security functionality, including the Transport Layer Security (TLS) cryptographic protocol that underlies most secure protocols on the Internet like HTTPS. It also provides the cryptographic functionality needed to compute secure hashes, validate certificates, and perform various other critical operations involving cryptography.
(The early versions of TLS were known as the Secure Sockets Layer, hence “SSL” in the name.)
OpenSSL is extremely widely deployed, and is built into or included by default in a large number of operating systems and distributions. It is present in countless embedded and mobile devices, and is used by the majority of websites on the Internet to secure their traffic.
Despite (or because of) its popularity, numerous vulnerabilities have been discovered in OpenSSL over the years. Perhaps most famously, the Heartbleed vulnerability, disclosed in 2014, allowed for sensitive memory disclosure.
Are updates available? #
OpenSSL 3.0.0 is available and publicly supported until 2026, while OpenSSL 3.1.0 is available and publicly supported until 2025. A migration guide has been made available to ease upgrades to these new versions.
How do I find older versions of OpenSSL with runZero? #
Detecting OpenSSL can be difficult, since it is a library used by countless other software products. However, runZero’s advanced scanning and fingerprinting is often able to detect the OpenSSL version used by analyzing the telltale features of cryptographic exchanges.
To find services running on your network that use OpenSSL 1.1.1 or earlier, you can use the following query in the runZero asset inventory:
tls.stack:"openssl=1.1"
Results from the above query should be triaged to determine if they require patching or vendor intervention.
As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.
Rob King is a Principal Researcher at runZero. Over his career Rob has served as a senior researcher with KoreLogic, the architect for TippingPoint DVLabs, and helped get several startups off the ground. Rob helped design SC Magazine's Data Leakage Prevention Product of the Year for 2010, and was awarded the 3Com Innovator of the Year Award in 2009. He has been invited to speak at BlackHat, Shmoocon, SANS Network Security, and USENIX.
Similar Content
September 29, 2023
How to find WS_FTP Server instances?
How to find WS_FTP Server instances? # On September 27th, Progress Sofware announced eight vulnerabilities in the WS_FTP Server software. These issues can lead to a full compromise of exposed WS_FTP systems and their data through the FTP, SSH, and web management services, …
Read MoreSeptember 26, 2023
How to find TeamCity instances
How to find TeamCity assets? # On September 20th, JetBrains announced a critical authentication bypass vulnerability that impacts users running the TeamCity On-Premises product. The vulnerability is being tracked using CVE-2023-42793 and presents the weakness of CWE-288 …
Read MoreJuly 31, 2023
How to find Ivanti EPMM (MobileIron Core)
How to find Ivanti Endpoint Manager Mobile (EPMM) with runZero # On July 24th, Ivanti announced that their Endpoint Manager Mobile (EPMM, formerly MobileIron Core) product versions 11.10 and prior contain a critical authentication bypass vulnerability. Successfully …
Read More