* [Cerowrt-devel] Fwd: [uknof] CVE-2014-0160 mitigation using iptables
[not found] <53453B13.8000705@ecsc.co.uk>
@ 2014-04-09 15:18 ` Dave Taht
2014-04-09 15:41 ` Valdis.Kletnieks
0 siblings, 1 reply; 2+ messages in thread
From: Dave Taht @ 2014-04-09 15:18 UTC (permalink / raw)
To: cerowrt-devel
It is not clear if this could be used to protect things inside the
firewall (switching to a forward rather than input table), nor if it
could be used with ipv6.
---------- Forwarded message ----------
From: Fabien Bourdaire <lists@ecsc.co.uk>
Date: Wed, Apr 9, 2014 at 5:20 AM
Subject: [uknof] CVE-2014-0160 mitigation using iptables
To: uknof@lists.uknof.org.uk
Following up on the CVE-2014-0160 vulnerability, heartbleed. We've
created some iptables rules to block all heartbeat queries using the
very powerful u32 module.
The rules allow you to mitigate systems that can't yet be patched by
blocking ALL the heartbeat handshakes. We also like the capability to
log external scanners :)
The rules have been specifically created for HTTPS traffic and may be
adapted for other protocols; SMTPS/IMAPS/...
# Log rules
iptables -t filter -A INPUT -p tcp --dport 443 -m u32 --u32 \
"52=0x18030000:0x1803FFFF" -j LOG --log-prefix "BLOCKED: HEARTBEAT"
# Block rules
iptables -t filter -A INPUT -p tcp --dport 443 -m u32 --u32 \
"52=0x18030000:0x1803FFFF" -j DROP
# Wireshark rules
$ tshark -i interface port 443 -R 'frame[68:1] == 18'
$ tshark -i interface port 443 -R 'ssl.record.content_type == 24'
We believe that this should only be used as a temporary fix to decrease
the exposure window. The log rule should allow you to test the firewall
rules before being used in production. It goes without saying that if
you have any suggested improvements to these rules we would be grateful
if you could share them with the security community.
Clearly, use of these rules is at your own risk ;)
ECSC SOC Team Researchers:
Adam Shore
Alex Innes
Fabien Bourdaire
--
ECSC Ltd - http://www.ecsc.co.uk
--
Dave Täht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [Cerowrt-devel] Fwd: [uknof] CVE-2014-0160 mitigation using iptables
2014-04-09 15:18 ` [Cerowrt-devel] Fwd: [uknof] CVE-2014-0160 mitigation using iptables Dave Taht
@ 2014-04-09 15:41 ` Valdis.Kletnieks
0 siblings, 0 replies; 2+ messages in thread
From: Valdis.Kletnieks @ 2014-04-09 15:41 UTC (permalink / raw)
To: Dave Taht; +Cc: cerowrt-devel
[-- Attachment #1: Type: text/plain, Size: 454 bytes --]
On Wed, 09 Apr 2014 08:18:23 -0700, Dave Taht said:
> It is not clear if this could be used to protect things inside the
> firewall (switching to a forward rather than input table), nor if it
> could be used with ipv6.
It will require adjusting the 52= in the rule, but otherwise should be
OK for IPv6.
For that matter, the ruleset as given is probably busticated when IP or TCP
options are present, because it assumes a hard-coded offset.
[-- Attachment #2: Type: application/pgp-signature, Size: 848 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-04-09 15:42 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <53453B13.8000705@ecsc.co.uk>
2014-04-09 15:18 ` [Cerowrt-devel] Fwd: [uknof] CVE-2014-0160 mitigation using iptables Dave Taht
2014-04-09 15:41 ` Valdis.Kletnieks
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox