CVE-2014-0160 mitigation using iptables

Following up on the CVE-2014-0160 vulnerability, heartbleed. We've
created some iptables rules to block all heartbeat queries using the
very powerful u32 module.

The rules allow you to mitigate systems that can't yet be patched by
blocking ALL the heartbeat handshakes. We also like the capability to
log external scanners :slight_smile:

The rules have been specifically created for HTTPS traffic and may be
adapted for other protocols; SMTPS/IMAPS/...

# Log rules
iptables -t filter -A INPUT -p tcp --dport 443 -m u32 --u32 \
"52=0x18030000:0x1803FFFF" -j LOG --log-prefix "BLOCKED: HEARTBEAT"

# Block rules
iptables -t filter -A INPUT -p tcp --dport 443 -m u32 --u32 \
"52=0x18030000:0x1803FFFF" -j DROP

# Wireshark rules
$ tshark -i interface port 443 -R 'frame[68:1] == 18'
$ tshark -i interface port 443 -R 'ssl.record.content_type == 24'

We believe that this should only be used as a temporary fix to decrease
the exposure window. The log rule should allow you to test the firewall
rules before being used in production. It goes without saying that if
you have any suggested improvements to these rules we would be grateful
if you could share them with the security community.

Clearly, use of these rules is at your own risk :wink:

ECSC SOC Team Researchers:
Adam Shore
Alex Innes
Fabien Bourdaire

as someone pointed out on the UKNOF mailing list yesterday, you make a
number of assumptions in this ruleset which are not necessarily valid.

Please do not claim that this ruleset blocks all heartbeat queries because
it does not.


That 52= isn't going to work if it's an IPv4 packet with an unexpected
number IP or TCP options, or an IPv6 connection....

He was also proven wrong on the Full Disclosure list but he seems to be
pushing this everywhere he can find an audience for some reason.

IPv6 wasn't mentioned here (that'd be ip6tables). But yeah, there
might be some other shortcomings with the match. I think it's the
right way to go - it just needs a bit of work (maybe a bm string
match?). You're also going to deal with different versions (see
ssl-heartbleed.nse for the breakdown). Though, I wonder if there are
any other variations you might miss...