lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <53451A69.3000801@ecsc.co.uk>
Date: Wed, 09 Apr 2014 11:01:13 +0100
From: Fabien Bourdaire <lists@...c.co.uk>
To: bugtraq@...urityfocus.com
Subject: CVE-2014-0160 mitigation using iptables

Following up on the CVE-2014-0160 vulnerability, heartbleed. We've
created some iptables rules to block all heartbeat queries using the
very powerful u32 module.

The rules allow you to mitigate systems that can't yet be patched by
blocking ALL the heartbeat handshakes. We also like the capability to
log external scanners :)

The rules have been specifically created for HTTPS traffic and may be
adapted for other protocols; SMTPS/IMAPS/...


# Log rules
iptables -t filter -A INPUT  -p tcp --dport 443  -m u32 --u32 \
"52=0x18030000:0x1803FFFF" -j LOG --log-prefix "BLOCKED: HEARTBEAT"

# Block rules
iptables -t filter -A INPUT  -p tcp --dport 443  -m u32 --u32 \
"52=0x18030000:0x1803FFFF" -j DROP

# Wireshark rules
$ tshark  -i interface port 443 -R 'frame[68:1] == 18'
$ tshark  -i interface port 443 -R 'ssl.record.content_type == 24'


We believe that this should only be used as a temporary fix to decrease
the exposure window. The log rule should allow you to test the firewall
rules before being used in production. It goes without saying that if
you have any suggested improvements to these rules we would be grateful
if you could share them with the security community.

Clearly, use of these rules is at your own risk ;)


ECSC SOC Team Researchers:
Adam Shore
Alex Innes
Fabien Bourdaire

-- 
ECSC Ltd - http://www.ecsc.co.uk

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ