Login/Register
Windows Server 2012 R2 and IIS affected by Heartbleed exploit? [closed]
Asked Answered
Solved iissslopensslwindows-server-2012heartbleed-bug
R

2

46

"OpenSSL 1.01 — the one production version affected — had been shipping since March 12, 2012"

Does this (above) mean that a Windows 2012 R2 server we ordered a month ago, now running HTTPS sites in IIS, is vulnerable to Heartbleed attacks?

I've read a post that suggests checking if your server is vulnerable, by using this site http://filippo.io/Heartbleed/ , but it's probably taking a ton of hits right now, as it's not responding.

Rowlett answered 8/4, 2014 at 21:42 Comment(12)
that'd depend on if microsoft used OpenSSL when building IIS, wouldn't it? Not to say that M$'s own internal ssl code couldn't have similar problems, but just because OpenSSL is vulnerable doesn't mean that ALL ssl servers are now vulnerable.. just the ones built/using the affected openssl versions.Arabelle
I wish i could respond to your question. Unfortunately I don't have the experience necessary... as I'm not familiar with how IIS is built, how OS's are configured, or how OpenSSL works. Being that is the case, I've still been tasked with figuring out if were vulnerable. Is there any other information I could provide that would clue someone in, as to our vulnerability level?Rowlett
this is something you'll have to ask microsoft. but since the openssl license requires products using it to say so, it should be easily discoverable on the M$ website.Arabelle
@MarcB Thank you, I'll contact MSFT asap!Rowlett
@admdrew care to clarify? HTTPS sites run in IIS, and my understanding was that HTTPS runs in SSL.Rowlett
@Rowlett OpenSSL != SSL, it's just an (open-source) implementation of SSL and TLS technologies. As MarcB stated, the OpenSSL license requires it to be named if included in a product. IIS uses an internal implementation of SSL.Diehard
@Rowlett Whoops! Just realized I commented IIS does not use SSL. I meant to say it doesn't use OpenSSL.Diehard
This question appears to be off-topic because it is about software versions, administration and patching. Server Fault has quite a few questions on the topic: serverfault.com/questions/tagged/heartbleed.Ance
@Ance Probably why it was closed 12 hours ago for being off-topic ;) and, none of those questions are specifically related to IIS / Win 2012 R2 :(Rowlett
@adma - yes, but I wanted you (and others) to have the reference into Sever Fault. Also,its not clear to me what happens if an IIS extension can exploit an OpenSSL client using client certs ;) I've been waiting for some reading on the subject.Ance
@Rowlett - By the way, Microsoft does not use OpenSSL. They have something called Schannel. See Secure Channel on the MSDN website. Schannel is the Windows XP curse that lacks Server Name Indication (SNI) TLS extension.Ance
@Ance That is great information to have, thank you!Rowlett
R
94

IIS is not vulnerable as it does not use the OpenSSL library

Update, quote Troy Hunt:

Not all web servers are dependent on OpenSSL. IIS, for example, uses Microsoft’s SChannel implementation which is not at risk of this bug. Does that mean that sites on IIS are not vulnerable to Heartbleed? For the most part, yes, but don’t get too cocky because OpenSSL may still be present within the server farm.

More info here - http://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html

Update 2:

Microsoft blog post on IIS and Heartbleed: http://blogs.technet.com/b/erezs_iis_blog/archive/2014/04/09/information-about-heartbleed-and-iis.aspx

Rufford answered 9/4, 2014 at 0:27 Comment(5)
Nice. Exactly what I needed. The security hornet nest has been kicked!Augusto
+1! This is what I get for commenting and not posting an answer, heheDiehard
Tom and admdrew, is there any official document or source to back this statement up?Policyholder
@Policyholder See updated answer. As Troy mentions, OpenSSL may still be present within your server farm, if for example, you're using any load balancers or content delivery networks that use OpenSSL...Rufford
There are many other exploits to worry about on the Microsoft platform hackarde.blogspot.com/2011/10/…. The nice thing is Microsoft catches up with fixes and they have all these hackers helping bullet proof their software.Uphemia
H
7

I've just used http://filippo.io/Heartbleed/ to scan a website we host on Win 2008 IIS7 - SSL is being terminated on the windows server directly (no load balancing device with SSL offloading in between) - it's being reported as vulnerable. Similar tests of websites hosted on Win 2012 with IIS8 don't have the same result (does not show as vulnerable).

Edit (added link to MS forum): http://social.technet.microsoft.com/Forums/en-US/93a24775-6f62-4690-8c86-3652b74c1b4f/openssl-vulnerability?forum=Forefrontedgegeneral

Hunsaker answered 9/4, 2014 at 3:58 Comment(4)
The scanner gives many false positives as they say themselves. It's hard to think that the bug in OpenSSL could affect microsoft code in any way (though this doesn't mean that IIS can't have similar issues in some parts of code).Candra
I wonder what security hole makes the scanner report a false positive. I'd be curious to know more about this.Rowlett
Test author here, a Yellow result might mean safe, but a consistent, repeated VULNERABLE result is nearly impossible to be a mistake. See filippo.io/Heartbleed/faq.html#sureSheer
@FiloSottile Congrats on all the publicity with this, your name & test site are on every news post all over the world right now. Let the job offers roll in! :)Rowlett

© 2022 - 2024 — McMap. All rights reserved.