CVE-2014-0160 mitigation using iptables
Following up on the CVE-2014-0160 vulnerability, heartbleed. We've created some iptables rules to block all heartbeat queries using the very powerful u32 module. The rules allow you to mitigate systems that can't yet be patched by blocking ALL the heartbeat handshakes. We also like the capability to log external scanners :) The rules have been specifically created for HTTPS traffic and may be adapted for other protocols; SMTPS/IMAPS/... # Log rules iptables -t filter -A INPUT -p tcp --dport 443 -m u32 --u32 \ "52=0x18030000:0x1803FFFF" -j LOG --log-prefix "BLOCKED: HEARTBEAT" # Block rules iptables -t filter -A INPUT -p tcp --dport 443 -m u32 --u32 \ "52=0x18030000:0x1803FFFF" -j DROP # Wireshark rules $ tshark -i interface port 443 -R 'frame[68:1] == 18' $ tshark -i interface port 443 -R 'ssl.record.content_type == 24' We believe that this should only be used as a temporary fix to decrease the exposure window. The log rule should allow you to test the firewall rules before being used in production. It goes without saying that if you have any suggested improvements to these rules we would be grateful if you could share them with the security community. Clearly, use of these rules is at your own risk ;) ECSC SOC Team Researchers: Adam Shore Alex Innes Fabien Bourdaire -- ECSC Ltd - http://www.ecsc.co.uk
On 09/04/2014 11:07, Fabien Bourdaire wrote:
Following up on the CVE-2014-0160 vulnerability, heartbleed. We've created some iptables rules to block all heartbeat queries using the very powerful u32 module.
as someone pointed out on the UKNOF mailing list yesterday, you make a number of assumptions in this ruleset which are not necessarily valid. Please do not claim that this ruleset blocks all heartbeat queries because it does not. Nick
He was also proven wrong on the Full Disclosure list but he seems to be pushing this everywhere he can find an audience for some reason. -----Original Message----- From: Nick Hilliard [mailto:nick@foobar.org] Sent: Thursday, April 10, 2014 6:13 AM To: Fabien Bourdaire; nanog@nanog.org Subject: Re: CVE-2014-0160 mitigation using iptables On 09/04/2014 11:07, Fabien Bourdaire wrote:
Following up on the CVE-2014-0160 vulnerability, heartbleed. We've created some iptables rules to block all heartbeat queries using the very powerful u32 module.
as someone pointed out on the UKNOF mailing list yesterday, you make a number of assumptions in this ruleset which are not necessarily valid. Please do not claim that this ruleset blocks all heartbeat queries because it does not. Nick
On Wed, 09 Apr 2014 11:07:36 +0100, Fabien Bourdaire said:
# Log rules iptables -t filter -A INPUT -p tcp --dport 443 -m u32 --u32 \ "52=0x18030000:0x1803FFFF" -j LOG --log-prefix "BLOCKED: HEARTBEAT"
That 52= isn't going to work if it's an IPv4 packet with an unexpected number IP or TCP options, or an IPv6 connection....
On Thu, Apr 10, 2014 at 9:52 AM, <Valdis.Kletnieks@vt.edu> wrote:
On Wed, 09 Apr 2014 11:07:36 +0100, Fabien Bourdaire said:
# Log rules iptables -t filter -A INPUT -p tcp --dport 443 -m u32 --u32 \ "52=0x18030000:0x1803FFFF" -j LOG --log-prefix "BLOCKED: HEARTBEAT"
That 52= isn't going to work if it's an IPv4 packet with an unexpected number IP or TCP options, or an IPv6 connection....
IPv6 wasn't mentioned here (that'd be ip6tables). But yeah, there might be some other shortcomings with the match. I think it's the right way to go - it just needs a bit of work (maybe a bm string match?). You're also going to deal with different versions (see ssl-heartbleed.nse for the breakdown). Though, I wonder if there are any other variations you might miss...
participants (5)
-
David Hubbard
-
Fabien Bourdaire
-
Nick Hilliard
-
shawn wilson
-
Valdis.Kletnieks@vt.edu