Managing Patching Compliance Using DROWN OpenSSL Vulnerability as an Example

As you have probably noticed by now, the attack on OpenSSL known as DROWN – Decrypting RSA using Obsolete and Weakened eNcryption has recently been discovered. Red Hat Product Security have provided patches for OpenSSL and recommend to apply them to affected systems.

In this post, we will discuss how Red Hat CloudForms and ManageIQ can assist in identifying environments at risk of the DROWN OpenSSL cross-protocol vulnerability. In addition, CloudForms can audit your environments and validate that the patches have been applied.

How can Red Hat CloudForms help?

CloudForms provides a policy based compliance check which can be used to verify software and configuration of servers and validate security requirements. These policies are created as a combination of an event, a condition and an action, and use a scope (usually set to infrastructure or guests) to determine if the policy needs to run. Additional information on using policies can be found in the product documentation: Defining policies and profiles.

CloudForms makes use of the SmartState Analysis functionality that provides the ability to inspect VM instances and templates for security and configuration data. For example, CloudForms can report on users, groups, packages, init processes, etc and even scan files to validate server configuration. The SmartState functionality makes use of snapshots and does not require the installation of an agent on the virtual guests.

With data collected for each environment, policies can be created and applied in order to validate security compliance, e.g. check openssl package release and version, and then flag an environment as non-compliant if the package version is vulnerable. Other actions include, but are not limited to, the ability to automatically send an email, raise an incident ticket or schedule an update on your configuration management platform of choice (e.g. Satellite, Ansible, Puppet, Microsoft System Center, etc).

We have implemented a CloudForms policy to assist in identifying affected OpenSSL package versions and validate the security of the servers visible in our Red Hat CloudForms environment.

How do I get the policy for the DROWN vulnerability in my environment?

The following assumes that you have a Red Hat CloudForms or ManageIQ environment configured with SmartState Analysis enabled. If not, you can obtain an appliance and get started on Red Hat CloudForms or ManageIQ.

The VM compliance policy for the DROWN OpenSSL vulnerability can be downloaded from the ManageIQ Extension Depot. This policy validates the openssl versions installed on all your Red Hat Enterprise Linux environments and flags the systems with vulnerable packages based on the list provided by Red Hat for RHEL5, RHEL6 and RHEL7 (see https://access.redhat.com/security/vulnerabilities/drown).

  1. Import the Policy and Policy Profile in your CloudForms or ManageIQ environment using the Import/Export functionality (Navigate to Control > Import/Export).OpenSSL Security
  2. Assign the Policy Profile to the virtual machines or instances you wish to scan (e.g. Navigate to Infrastructure > Virtual Machines, select a Virtual Machine and Click on Policy > Manage Policies, before selecting the Compliance: OpenSSL Security).OpenSSL Security
  3. Check compliance against the last known configuration (Click on Policy > Check Compliance of Last Known Configuration). This step assumes that the VM instance has recently been scanned by the SmartState Analysis and that the package information data is up-to-date.OpenSSL Security
  4. The result of the compliance can be obtained from the Virtual Machine Summary Screen under the Compliance section. If the environment is vulnerable, the compliance status will be marked as Non-Compliant. This means that your VM contains a version of openssl which can be used by the DROWN cross-protocol attack.OpenSSL SecurityNote: CloudForms runs the SmartState Analysis and Compliance checks against each environment, whether they are turned off or running. This means that you can flag and report on all VMs as well as templates for the DROWN vulnerability, not just for the running servers.
  5. At this stage, you probably want to fix your servers by updating the openssl package to the latest version. This can be done manually or automatically following your preferred deployment process (e.g. update the package in your test environment and promote it to your production servers).
  6. Once your environments are patched, perform a SmartState Analysis on the VMs to update the information gathered on the systems and re-run the compliance checks. If the update is applied, the environment is marked as Compliant.OpenSSL Security

How can I maintain on-going compliance?

SmartState Analysis and Compliance checks can be scheduled to be automatically performed, either on an interval basis (e.g. every week, at a predefined time) or when specific events occur, for example when a new VM gets provisioned or a server is powered on.

Another common use of CloudForms is to create a report containing the results of the latest compliance checks. You could for example filter the report for non-compliant servers and notify the ops team via email. An example of such a report is available on ManageIQ Extension Depot.OpenSSL Security

As you can see, Red Hat CloudForms and its upstream project ManageIQ can be used as part of your IT security and compliance management to assist in identifying and validating that critical patches are applied. The policy, profile and report that we used in our lab for the DROWN cross-protocol attack are provided and can be used in your own environment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s