How MWG can protect users from visiting sites vulnerable to the Heartbleed bug

Version 7

    Overview

     

    The "Heartbleed" vulnerability (CVE-2014-0160) has impacted thousands of servers and products on the internet. With the power and flexibility of the rule engine in McAfee Web Gateway 7 you can now block or warn end users when they try to access one of those web sites that have not been patched yet and are still vulnerable.

     

    To learn more about Heartbleed, please see this McAfee blog post: http://blogs.mcafee.com/consumer/what-is-heartbleed

     

    A manual check of individual sites can be performed here: http://tif.mcafee.com/heartbleedtest

     

    Additional details regarding McAfee product mitigation and remediation can be found at: https://kc.mcafee.com/corporate/index?page=content&id=SB10071

    Disclaimer

     

    The following tools and rules are provided as-is. They provide a simple scan for CVE-2014-0160 (also known as Heartbleed) on a public server. This scan is not accurate for every possible server configuration.

    By no means are the rules or configurations officially supported. If you do have questions or comments please use the community to get assistance.

    The web service required (see below) is best hosted on your own local server. McAfee reserves the right to disable the hosted service at any time (please also see the note about the auto expiration of the rules)

    How it works

     

    The issue with Heartbleed is that it is happening on such a generic level of HTTPS connections, that the standard rules of Secure Web Gateways from any vendor do not have visibility into the issue and can therefore not protect end users from vulnerable servers.

     

    McAfee Web Gateway has the unique advantage of the so called "subscribed lists" and "external lists" features that allow it to talk to external services. We are using these features so that a "Heartbleed Vulnerability Checker" (going forward called "the tool") hosted on a web server, either on the internet or in your local environment, can provide information about vulnerable destination servers to MWG. The basis for this service is the tool also used for https://filippo.io/Heartbleed/ with a php script wrapper around it.

     

    The three Components:

     

    1. The tool


    A web service API that provides real time status checks for vulnerable servers. MWG can query this service through its "external lists" feature. MWG provides the IP and port of the destination HTTPS server that an end user requested and the tool provides a real time response:

    0: Not vulnerable or error
    1: Vulnerable server detected

     

    Responses to the real time check are cached on the local MWG for 1 hour

     

    2. The list


    Every time the tool detects a vulnerable server, it adds the IP to a list of known vulnerable servers. MWG consumes this list through its "subscribed list" feature.

    The list of known vulnerable servers is refreshed by the MWG every 1 hour.

     

    3. The re-check

     

    Every hour the tool will re-check all sites on the list of known vulnerable servers to make sure we take them off the list once they have been patched or protected.

     

    Demo Video

     

     

    Rules for your MWG

    Prerequisites

    MWG  7.3.2.8 or newer (all 7.4.x versions)

    SSL scanner enabled and deployed


     

    At the bottom of this document you can find a zip file with the latest rule set and block pages for your MWG. Please download the zip file and follow these steps to install the block pages and then the rules:

     

    1. Extract the zip file to your local PC

     

    2. Open the McAfee Web Gateway UI and login as a policy admin

     

    3. Import the block pages

     

    Go to Policy >> Settings >> Actions >> Block >> URL Blocked

     

    On the right side, click on Template Name >> Edit

     

     

    Inside the Template Editor, click on Import and then select the block pages file inside the folder you extracted earlier

     

     

    import-blockpages.png

     

     

     

     

     

    After the successful import, you should see two new block pages added to your collection:

    - Heartbleed Block

    - Heartbleed Coaching

     

    import-blockpages-success.png

     

     

    4. Import the rules


    Under Policy >> Rule Sets select your SSL Scanner rule set and right click on it. Then select Add >> Rule Set from Library

     

    import-ruleset-library.png

     

    Inside the rule set library please select "import from file" and then import the rule set file you extracted earlier

     

    import-ruleset-library2.png

     

     

    5. Position the rules


    Place the rule set insight your SSL scanner rule set right underneath the "Handle CONNECT Call" rule set

     

    mwg-rule-placement.png

     

     

    6. Decide whether you would like to block or just warn end users when they visit a vulnerable server

     

    The default setting si to block access to vulnerable servers. all you have to do is to click "Save Changes" after the import of the rule set

     

    To warn users (using MWG coaching functionality) please disable the rule "Block destination Servers vulnerable to heartbleed" and instead enable the rule "Enable Warning for servers Vulnerable to heartbleed".

     

    enable-warning.png

     

     

    Sample view of the Error Templates

     

    Block Page:

    full-block.png

     

     

    Warning Page:

    warning.png

     

    The web service and the auto expiration of the rules

     

    The rules attached point to a web server that is running as a PoC at this time.

    As the future of this server has not been determined, the rules provided contain an auto expiration element.

    Basically the first entry in your "Heartbleed_Servers" subscribed list is an auto expiration date that McAfee controls

     

    expiration.png

     

    Once this expiration date has been reached, the imported rules will automatically stand down. The goal is to prevent any delays in processing end user requests once the web service is being taken offline.

    To not rely on the PoC server, we highly encourage you to run your own server internally (see below)

    How to host your own Service

     

    You might wish to host your own service inside your network so that a) you do not have to send any data out to the internet and b) you do not rely on our service that eventually will be shut down.

     

    At the bottom of this article you can find a zip file with the necessary scripts to host your own Heartbleed Check tool (instead of relying on a service on the internet that might not be reliably available)

    These installation instructions are based on a Red Hat/ Centos 6.4 system with apache and PHP already installed. SELinux has been disabled.

     

    1. Login as root (or sudo the below)

    2. Install the epel repository

     

    wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

    rpm -Uvh epel-release-6*.rpm

     

    3. Install golang and git

     

    yum install golang git

     

    4. Create directory and set PATH

     

    mkdir /opt/golang

    export GOPATH=/opt/golang

     

    5. Install the vulnerability check tool

    (more info on the tool: https://github.com/FiloSottile/Heartbleed )

     

    go get github.com/FiloSottile/Heartbleed

    go install github.com/FiloSottile/Heartbleed

     

    6) Place the scripts on the web server

     

    Copy the zip file downloaded from this article to your web server and place it under /var/www/

    Then switch back to the command line:

     

    cd /var/www

    unzip mwg_heartbleed-server-v3.1.zip

    chown -R apache:apache heartbleed

     

    7. Test your Server:

     

    Real Time check (via external list on MWG). Result should be "0"

     

    http://<ip of your web server>/heartbleed/check.php?host=mcafee.com

     

    List of known vulnerable sites (via subscribed list on MWG).

     

    http://<ip of your web server>/heartbleed/subscribe.php?prod=mwg

     

    8. Add the hourly re-check script as a cron job

     

    crontab -e

     

    add the line

     

    0 * * * * /bin/sh /var/www/heartbleed/re_check.sh > /dev/null 2>&1


    save and quit

     

    9. Point MWG at your Server for the Heartbleed checks

     

    Subscribed List


    To change the subscribed list, go under Policy >> Lists >> Subscribed Lists >> String >> Heartbleed_Servers, then right click and select "Edit" , then select "Setup"

    Please replace the existing IP with the IP or hostname of your web server

     

    replace-subscribed.png

     

    External List

     

    To change the external list, go under Policy >> Settings >> External Lists >> Heartbleed_Check and replace the IP in the "Web service's URL" field with the IP or hostname of your web server

    replace-external.png

     

    FAQ

     

    Why are all entries in the known vulnerable server list IP addresses?

    The assumption is that the vulnerable openSSL version is used system wide on a server. So even if multiple hostnames were associated with one server, they were all vulnerable. Having the IP in the list covers all of these potential hosts.

     

    What's up with the auto expiration?

    As it is expected that vulnerable Heartbleed sites are getting patched over the next few weeks or month, the auto expiration makes sense and guarantees thats there will not be any delays for your end user requests when the service is taken offline

     

    I am running my own server and I want to adjust the expiration date or even disable it

    Open up /var/www/heartbleed/settings.php

    In this file you can adjust the expiration date or you can uncomment the "NEVER" entry to disable expiration.

    settings.png

     

    Downloads

     

    McAfee Web Gateway Rules and Blockpages

    https://community.mcafee.com/servlet/JiveServlet/download/5870-11-96769/mwg-hear tbleed-rules-v3.zip

     

    Scripts to run your own service

    https://community.mcafee.com/servlet/JiveServlet/download/5870-11-96768/mwg_hear tbleed-server-v3.zip

     

    Changelog

    v3:

    - All checks are based on IPs now instead of hostnames

    - Rules have an auto expiration on them (first element of subscribed list)