cancel
Showing results for 
Search instead for 
Did you mean: 

How MWG can protect users from visiting sites vulnerable to the Heartbleed bug

Overview

The "Heartbleed" vulnerability (CVE-2014-0160) has impacted thousands of servers and products on the internet. With the power and flexibility of the rule engine in McAfee Web Gateway 7 you can now block or warn end users when they try to access one of those web sites that have not been patched yet and are still vulnerable.

To learn more about Heartbleed, please see this McAfee blog post: http://blogs.mcafee.com/consumer/what-is-heartbleed

A manual check of individual sites can be performed here: http://tif.mcafee.com/heartbleedtest

Additional details regarding McAfee product mitigation and remediation can be found at: https://kc.mcafee.com/corporate/index?page=content&id=SB10071

Disclaimer

The following tools and rules are provided as-is. They provide a simple scan for CVE-2014-0160 (also known as Heartbleed) on a public server. This scan is not accurate for every possible server configuration.

By no means are the rules or configurations officially supported. If you do have questions or comments please use the community to get assistance.

The web service required (see below) is best hosted on your own local server. McAfee reserves the right to disable the hosted service at any time (please also see the note about the auto expiration of the rules)

How it works

The issue with Heartbleed is that it is happening on such a generic level of HTTPS connections, that the standard rules of Secure Web Gateways from any vendor do not have visibility into the issue and can therefore not protect end users from vulnerable servers.

McAfee Web Gateway has the unique advantage of the so called "subscribed lists" and "external lists" features that allow it to talk to external services. We are using these features so that a "Heartbleed Vulnerability Checker" (going forward called "the tool") hosted on a web server, either on the internet or in your local environment, can provide information about vulnerable destination servers to MWG. The basis for this service is the tool also used for https://filippo.io/Heartbleed/ with a php script wrapper around it.

The three Components:

1. The tool


A web service API that provides real time status checks for vulnerable servers. MWG can query this service through its "external lists" feature. MWG provides the IP and port of the destination HTTPS server that an end user requested and the tool provides a real time response:

0: Not vulnerable or error
1: Vulnerable server detected

Responses to the real time check are cached on the local MWG for 1 hour

2. The list


Every time the tool detects a vulnerable server, it adds the IP to a list of known vulnerable servers. MWG consumes this list through its "subscribed list" feature.

The list of known vulnerable servers is refreshed by the MWG every 1 hour.

3. The re-check

Every hour the tool will re-check all sites on the list of known vulnerable servers to make sure we take them off the list once they have been patched or protected.

Demo Video


Rules for your MWG

Prerequisites

MWG  7.3.2.8 or newer (all 7.4.x versions)

SSL scanner enabled and deployed


At the bottom of this document you can find a zip file with the latest rule set and block pages for your MWG. Please download the zip file and follow these steps to install the block pages and then the rules:

1. Extract the zip file to your local PC

2. Open the McAfee Web Gateway UI and login as a policy admin

3. Import the block pages

Go to Policy >> Settings >> Actions >> Block >> URL Blocked

On the right side, click on Template Name >> Edit

Inside the Template Editor, click on Import and then select the block pages file inside the folder you extracted earlier

import-blockpages.png

After the successful import, you should see two new block pages added to your collection:

- Heartbleed Block

- Heartbleed Coaching

import-blockpages-success.png

4. Import the rules


Under Policy >> Rule Sets select your SSL Scanner rule set and right click on it. Then select Add >> Rule Set from Library

import-ruleset-library.png

Inside the rule set library please select "import from file" and then import the rule set file you extracted earlier

import-ruleset-library2.png

5. Position the rules


Place the rule set insight your SSL scanner rule set right underneath the "Handle CONNECT Call" rule set

mwg-rule-placement.png

6. Decide whether you would like to block or just warn end users when they visit a vulnerable server

The default setting si to block access to vulnerable servers. all you have to do is to click "Save Changes" after the import of the rule set

To warn users (using MWG coaching functionality) please disable the rule "Block destination Servers vulnerable to heartbleed" and instead enable the rule "Enable Warning for servers Vulnerable to heartbleed".

enable-warning.png

Sample view of the Error Templates

Block Page:

full-block.png

Warning Page:

warning.png

The web service and the auto expiration of the rules

The rules attached point to a web server that is running as a PoC at this time.

As the future of this server has not been determined, the rules provided contain an auto expiration element.

Basically the first entry in your "Heartbleed_Servers" subscribed list is an auto expiration date that McAfee controls

expiration.png

Once this expiration date has been reached, the imported rules will automatically stand down. The goal is to prevent any delays in processing end user requests once the web service is being taken offline.

To not rely on the PoC server, we highly encourage you to run your own server internally (see below)

How to host your own Service

You might wish to host your own service inside your network so that a) you do not have to send any data out to the internet and b) you do not rely on our service that eventually will be shut down.

At the bottom of this article you can find a zip file with the necessary scripts to host your own Heartbleed Check tool (instead of relying on a service on the internet that might not be reliably available)

These installation instructions are based on a Red Hat/ Centos 6.4 system with apache and PHP already installed. SELinux has been disabled.

1. Login as root (or sudo the below)

2. Install the epel repository

wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

rpm -Uvh epel-release-6*.rpm

3. Install golang and git

yum install golang git

4. Create directory and set PATH

mkdir /opt/golang

export GOPATH=/opt/golang

5. Install the vulnerability check tool

(more info on the tool: https://github.com/FiloSottile/Heartbleed )

go get github.com/FiloSottile/Heartbleed

go install github.com/FiloSottile/Heartbleed

6) Place the scripts on the web server

Copy the zip file downloaded from this article to your web server and place it under /var/www/

Then switch back to the command line:

cd /var/www

unzip mwg_heartbleed-server-v3.1.zip

chown -R apache:apache heartbleed

7. Test your Server:

Real Time check (via external list on MWG). Result should be "0"

http://<ip of your web server>/heartbleed/check.php?host=mcafee.com

List of known vulnerable sites (via subscribed list on MWG).

http://<ip of your web server>/heartbleed/subscribe.php?prod=mwg

8. Add the hourly re-check script as a cron job

crontab -e

add the line

0 * * * * /bin/sh /var/www/heartbleed/re_check.sh > /dev/null 2>&1


save and quit

9. Point MWG at your Server for the Heartbleed checks

Subscribed List


To change the subscribed list, go under Policy >> Lists >> Subscribed Lists >> String >> Heartbleed_Servers, then right click and select "Edit" , then select "Setup"

Please replace the existing IP with the IP or hostname of your web server

replace-subscribed.png

External List

To change the external list, go under Policy >> Settings >> External Lists >> Heartbleed_Check and replace the IP in the "Web service's URL" field with the IP or hostname of your web server

replace-external.png

FAQ

Why are all entries in the known vulnerable server list IP addresses?

The assumption is that the vulnerable openSSL version is used system wide on a server. So even if multiple hostnames were associated with one server, they were all vulnerable. Having the IP in the list covers all of these potential hosts.

What's up with the auto expiration?

As it is expected that vulnerable Heartbleed sites are getting patched over the next few weeks or month, the auto expiration makes sense and guarantees thats there will not be any delays for your end user requests when the service is taken offline

I am running my own server and I want to adjust the expiration date or even disable it

Open up /var/www/heartbleed/settings.php

In this file you can adjust the expiration date or you can uncomment the "NEVER" entry to disable expiration.

settings.png

Downloads

McAfee Web Gateway Rules and Blockpages

https://community.mcafee.com/servlet/JiveServlet/download/5870-11-96769/mwg-heartbleed-rules-v3.zip

Scripts to run your own service

https://community.mcafee.com/servlet/JiveServlet/download/5870-11-96768/mwg_heartbleed-server-v3.zip

Changelog

v3:

- All checks are based on IPs now instead of hostnames

- Rules have an auto expiration on them (first element of subscribed list)

Attachments
Comments

You should change prerequisites to

MWG  7.3.2.8 or newer, MWG 7.4.1.3 or newer

7.4.0 to 7.4.1.2 are vulnerable to heartbleed.

Version history
Revision #:
1 of 1
Last update:
‎04-17-2014 07:51 AM
Updated by:
 

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community