The "Heartbleed" vulnerability (CVE-2014-0160) has impacted thousands of servers and products on the internet. With the power and flexibility of the rule engine in McAfee Web Gateway 7 you can now block or warn end users when they try to access one of those web sites that have not been patched yet and are still vulnerable.
To learn more about Heartbleed, please see this McAfee blog post: http://blogs.mcafee.com/consumer/what-is-heartbleed
A manual check of individual sites can be performed here: http://tif.mcafee.com/heartbleedtest
Additional details regarding McAfee product mitigation and remediation can be found at: https://kc.mcafee.com/corporate/index?page=content&id=SB10071
The following tools and rules are provided as-is. They provide a simple scan for CVE-2014-0160 (also known as Heartbleed) on a public server. This scan is not accurate for every possible server configuration.
By no means are the rules or configurations officially supported. If you do have questions or comments please use the community to get assistance.
The web service required (see below) is best hosted on your own local server. McAfee reserves the right to disable the hosted service at any time (please also see the note about the auto expiration of the rules)
How it works
The issue with Heartbleed is that it is happening on such a generic level of HTTPS connections, that the standard rules of Secure Web Gateways from any vendor do not have visibility into the issue and can therefore not protect end users from vulnerable servers.
McAfee Web Gateway has the unique advantage of the so called "subscribed lists" and "external lists" features that allow it to talk to external services. We are using these features so that a "Heartbleed Vulnerability Checker" (going forward called "the tool") hosted on a web server, either on the internet or in your local environment, can provide information about vulnerable destination servers to MWG. The basis for this service is the tool also used for https://filippo.io/Heartbleed/ with a php script wrapper around it.
The three Components:
1. The tool
A web service API that provides real time status checks for vulnerable servers. MWG can query this service through its "external lists" feature. MWG provides the IP and port of the destination HTTPS server that an end user requested and the tool provides a real time response:
0: Not vulnerable or error
1: Vulnerable server detected
Responses to the real time check are cached on the local MWG for 1 hour
2. The list
Every time the tool detects a vulnerable server, it adds the IP to a list of known vulnerable servers. MWG consumes this list through its "subscribed list" feature.
The list of known vulnerable servers is refreshed by the MWG every 1 hour.
3. The re-check
Every hour the tool will re-check all sites on the list of known vulnerable servers to make sure we take them off the list once they have been patched or protected.
Rules for your MWG
MWG 188.8.131.52 or newer (all 7.4.x versions)
SSL scanner enabled and deployed
At the bottom of this document you can find a zip file with the latest rule set and block pages for your MWG. Please download the zip file and follow these steps to install the block pages and then the rules:
1. Extract the zip file to your local PC
2. Open the McAfee Web Gateway UI and login as a policy admin
3. Import the block pages
Go to Policy >> Settings >> Actions >> Block >> URL Blocked
On the right side, click on Template Name >> Edit
Inside the Template Editor, click on Import and then select the block pages file inside the folder you extracted earlier
After the successful import, you should see two new block pages added to your collection:
- Heartbleed Block
- Heartbleed Coaching
4. Import the rules
Under Policy >> Rule Sets select your SSL Scanner rule set and right click on it. Then select Add >> Rule Set from Library
Inside the rule set library please select "import from file" and then import the rule set file you extracted earlier
5. Position the rules
Place the rule set insight your SSL scanner rule set right underneath the "Handle CONNECT Call" rule set
6. Decide whether you would like to block or just warn end users when they visit a vulnerable server
The default setting si to block access to vulnerable servers. all you have to do is to click "Save Changes" after the import of the rule set
To warn users (using MWG coaching functionality) please disable the rule "Block destination Servers vulnerable to heartbleed" and instead enable the rule "Enable Warning for servers Vulnerable to heartbleed".
Sample view of the Error Templates
The web service and the auto expiration of the rules
The rules attached point to a web server that is running as a PoC at this time.
As the future of this server has not been determined, the rules provided contain an auto expiration element.
Basically the first entry in your "Heartbleed_Servers" subscribed list is an auto expiration date that McAfee controls
Once this expiration date has been reached, the imported rules will automatically stand down. The goal is to prevent any delays in processing end user requests once the web service is being taken offline.
To not rely on the PoC server, we highly encourage you to run your own server internally (see below)
How to host your own Service
You might wish to host your own service inside your network so that a) you do not have to send any data out to the internet and b) you do not rely on our service that eventually will be shut down.
At the bottom of this article you can find a zip file with the necessary scripts to host your own Heartbleed Check tool (instead of relying on a service on the internet that might not be reliably available)
These installation instructions are based on a Red Hat/ Centos 6.4 system with apache and PHP already installed. SELinux has been disabled.
1. Login as root (or sudo the below)
2. Install the epel repository
rpm -Uvh epel-release-6*.rpm
3. Install golang and git
yum install golang git
4. Create directory and set PATH
5. Install the vulnerability check tool
(more info on the tool: https://github.com/FiloSottile/Heartbleed )
go get github.com/FiloSottile/Heartbleed
go install github.com/FiloSottile/Heartbleed
6) Place the scripts on the web server
Copy the zip file downloaded from this article to your web server and place it under /var/www/
Then switch back to the command line:
chown -R apache:apache heartbleed
7. Test your Server:
Real Time check (via external list on MWG). Result should be "0"
http://<ip of your web server>/heartbleed/check.php?host=mcafee.com
List of known vulnerable sites (via subscribed list on MWG).
http://<ip of your web server>/heartbleed/subscribe.php?prod=mwg
8. Add the hourly re-check script as a cron job
add the line
0 * * * * /bin/sh /var/www/heartbleed/re_check.sh > /dev/null 2>&1
save and quit
9. Point MWG at your Server for the Heartbleed checks
To change the subscribed list, go under Policy >> Lists >> Subscribed Lists >> String >> Heartbleed_Servers, then right click and select "Edit" , then select "Setup"
Please replace the existing IP with the IP or hostname of your web server
To change the external list, go under Policy >> Settings >> External Lists >> Heartbleed_Check and replace the IP in the "Web service's URL" field with the IP or hostname of your web server
Why are all entries in the known vulnerable server list IP addresses?
The assumption is that the vulnerable openSSL version is used system wide on a server. So even if multiple hostnames were associated with one server, they were all vulnerable. Having the IP in the list covers all of these potential hosts.
What's up with the auto expiration?
As it is expected that vulnerable Heartbleed sites are getting patched over the next few weeks or month, the auto expiration makes sense and guarantees thats there will not be any delays for your end user requests when the service is taken offline
I am running my own server and I want to adjust the expiration date or even disable it
Open up /var/www/heartbleed/settings.php
In this file you can adjust the expiration date or you can uncomment the "NEVER" entry to disable expiration.
McAfee Web Gateway Rules and Blockpages
Scripts to run your own service
- All checks are based on IPs now instead of hostnames
- Rules have an auto expiration on them (first element of subscribed list)