CVE-2014-0160 mitigation using iptables

• Previous message (by thread): CVE-2014-0160 mitigation using iptables
• Next message (by thread): Yahoo DMARC breakage
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Apr 10, 2014 at 9:52 AM,  <Valdis.Kletnieks at vt.edu> wrote:
> On Wed, 09 Apr 2014 11:07:36 +0100, Fabien Bourdaire said:
>
>> # Log rules
>> iptables -t filter -A INPUT  -p tcp --dport 443  -m u32 --u32 \
>> "52=0x18030000:0x1803FFFF" -j LOG --log-prefix "BLOCKED: HEARTBEAT"
>
> That 52= isn't going to work if it's an IPv4 packet with an unexpected
> number IP or TCP options, or an IPv6 connection....

IPv6 wasn't mentioned here (that'd be ip6tables). But yeah, there
might be some other shortcomings with the match. I think it's the
right way to go - it just needs a bit of work (maybe a bm string
match?). You're also going to deal with different versions (see
ssl-heartbleed.nse for the breakdown). Though, I wonder if there are
any other variations you might miss...

• Previous message (by thread): CVE-2014-0160 mitigation using iptables
• Next message (by thread): Yahoo DMARC breakage
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]