Support Center > Search Results > SecureKnowledge Details
Check Point IPS Protections for OpenSSL "Heartbleed" vulnerability (CVE 2014-0160) Technical Level
Solution

Check Point released three IPS protections that address the OpenSSL "Heartbleed" vulnerability described in CVE-2014-0160:

Notes:

Protections:

  • OpenSSL TLS DTLS Heartbeat Information Disclosure

    Protection's description on Check Point advisory

    Most of the tools published in order to exploit/test the OpenSSL Heartbeat vulnerability do not complete a full TLS handshake before sending the malicious message. When using these tools, the connection, including the heartbeat message, is not encrypted. Such connections are successfully blocked by this protection.

    How to locate this protection in SmartDashboard:

    • SmartDashboard - go 'IPS' tab - expand 'Protections' - expand 'By Type' - expand 'Signatures' - search for OpenSSL TLS DTLS Heartbeat Information Disclosure
    • SmartDashboard - go 'IPS' tab - expand 'Protections' - expand 'By Protocol' - expand 'IPS Software Blade' - expand 'Application Intelligence' - expand 'VPN Protocols' - click on 'SSL and TLS' - find OpenSSL TLS DTLS Heartbeat Information Disclosure


  • OpenSSL TLS DTLS Overly-long Heartbeat Response Information Disclosure

    Protection's description on Check Point advisory

    Once the TLS handshake is completed, the Heartbeat messages are encrypted. This protection blocks overly large heartbeat responses, which are typical of malicious requests, and are likely to be used for information disclosure. This IPS protection works also in the case where the messages are encrypted.

    How to locate this protection in SmartDashboard:

    • SmartDashboard - go 'IPS' tab - expand 'Protections' - expand 'By Type' - expand 'Signatures' - search for OpenSSL TLS DTLS Overly-long Heartbeat Response Information Disclosure
    • SmartDashboard - go 'IPS' tab - expand 'Protections' - expand 'By Protocol' - expand 'IPS Software Blade' - expand 'Application Intelligence' - click on 'Web Servers' - find OpenSSL TLS DTLS Overly-long Heartbeat Response Information Disclosure


  • TLS and DTLS Heartbeat Extension

    Protection's description on Check Point advisory

    This protection is an Application Control protection. It detects/blocks all Heartbeat messages, whether malicious or not. It is recommended only for customers who are OK with blocking all Heartbeat messages.

    How to locate this protection in SmartDashboard:

    • SmartDashboard - go 'IPS' tab - expand 'Protections' - expand 'By Type' - expand 'Application Controls' - search for TLS and DTLS Heartbeat Extension
    • SmartDashboard - go 'IPS' tab - expand 'Protections' - expand 'By Protocol' - expand 'IPS Software Blade' - expand 'Application Intelligence' - expand 'VPN Protocols' - click on 'SSL and TLS' - find TLS and DTLS Heartbeat Extension

 

These three protections inspect traffic on the following ports while protecting both directions - requests from the Server to the Client and replies from the Client to the Server:

Protocol Ports
TCP
  • 443 (HTTPS - HTTP over SSL)
  • 465 (SMTPS - SMTP over SSL)
  • 563 (NNTPS - NNTP over TLS/SSL)
  • 636 (LDAPS - LDAP over TLS/SSL)
  • 989 (FTPS Data - FTP Data over TLS/SSL)
  • 990 (FTPS Control - FTP Control over TLS/SSL)
  • 992 (Telnet over TLS/SSL)
  • 993 (IMAPS - IMAP over SSL)
  • 995 (POP3S - POP3 over SSL)
  • 1194 (OpenVPN)
  • 2484 (Oracle Database listening for SSL client)
  • 5061 (SIP over TLS)
  • 8443 (Apache Tomcat SSL)
UDP
  • 563 (NNTPS - NNTP over TLS/SSL)
  • 636 (LDAPS - LDAP over TLS/SSL)
  • 4433 (OpenSSL)
This solution is about products that are no longer supported and it will not be updated

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment