Support Center > Alerts > SecureKnowledge Details
Check Point Response to Apache HTTP Server CVE-2011-3192 Denial Of Service Vulnerability
Symptoms
  • Apache HTTP server is vulnerable to denial of service by sending multiple requests with large number of ranges.
  • For more details refer to the Apache advisory
  • The following Check Point products are vulnerable:
    • Security Gateway with SSL VPN/Identity Awareness/DLP Software Blade - R71.10 and later, R75 and later
    • Connectra - R66.1, R66.1n
    • DLP-1 - R75 and later
    • EndPoint Security Server - all versions
    • IPSO platform (Voyager application)
  • To mitigate this threat Check Point released the following solutions:
    • Hotfixes for the vulnerable products.
    • An IPS protection CPAI-2011-402
Solution

Customers of the above products are advised to install the following Hotfixes.

Hotfix for Security Gateway products

Note: After installing the Hotfix for Security Gateway, any manual changes done to the Apache configuration files will be lost, in case the Hotfix is uninstalled.

To check that the hotfix is applied:

The following files:
 $CVPNDIR/conf/httpd.conf
 $DLPDIR/portal/apache/conf/httpd.conf
 /opt/CPNacPortal/conf/httpd_nac.conf
 /opt/CPUserCheckPortal/conf/httpd.conf
 
should contain string "CVE20113192"

Hotfix for Endpoint Security

   Hotfix applies for Endpoint Security Server E80, E80.10 on Windows (released on September 8, 2011)

    Installation instructions:

  1. If the obsolete hotfix was installed (see above), uninstall it by running 'copy %UEPMDIR%\apache22\conf\httpd.conf.backup %UEPMDIR%\apache22\conf\httpd.conf' 
  2. Download EP_R8x_apacheCVE20113192.bat and copy it to the EPS Server machine 
  3. To install the hotfix run ' EP_R8x_apacheCVE20113192.bat '
  4. To uninstall the hotfix run ' copy "%UEPMDIR%\apache22\conf\httpd.conf.backup" "%UEPMDIR%\apache22\conf\httpd.conf" ' and restart the Apache2.2 service

   Hotfix applies for Endpoint Security Server E80.20 on Windows (released on September 8, 2011)

    Installation instructions:

  1. If the obsolete hotfix was installed (see above), uninstall it by running 'copy %UEPMDIR%\apache22\conf\httpd.conf.backup %UEPMDIR%\apache22\conf\httpd.conf'
  2. Download the file E80.20.zip and copy it to the EPS Server machine
  3. Unzip E80.20.zip which contains the following files:
    • EP_E80.20_apacheCVE20113192.bat
    • mod_cache.so
    • mod_disk_cache.so
    • mod_file_cache.so
    • mod_mem_cache.so
  4. To install the hotfix run 'EP_E80.20_apacheCVE20113192.bat '
  5. To uninstall the hotfix:
    • Stop Apache2.2 Service
    • 'copy %UEPMDIR%\apache22\conf\httpd.conf.backup %UEPMDIR%\apache22\conf\httpd.conf' 
    • 'copy %UEPMDIR%\apache22\modules\mod_cache.so.backup %UEPMDIR%\apache22\modules\mod_cache.so'
    • 'copy %UEPMDIR%\apache22\modules\mod_file_cache.so.backup %UEPMDIR%\apache22\modules\mod_file_cache.so'
    • 'copy %UEPMDIR%\apache22\modules\mod_mem_cache.so.backup %UEPMDIR%\apache22\modules\mod_mem_cache.so'
    • 'copy %UEPMDIR%\apache22\modules\mod_disk_cache.so.backup %UEPMDIR%\apache22\modules\mod_disk_cache.so'
    • Start Apache2.2 Service

 

   Hotfix applies for Endpoint Security Server R7.x on Windows

    Installation instructions:

  1. Download EP_R7x_apacheCVE20113192.bat and copy it to the EPS Server machine 
  2. To install the hotfix run 'EP_R7x_apacheCVE20113192.bat' 
  3. To uninstall the hotfix run 'copy httpd.conf.backup httpd.conf'

   Hotfix applies for Endpoint Security Server R7.x on SecurePlatform

    Installation instructions:

  1. Download EP_R7x_apacheCVE20113192.sh and copy it to the EPS Server machine
  2. chmod +x EP_R7x_apacheCVE20113192.sh
  3. To install the hotfix run './EP_R7x_apacheCVE20113192.sh install' and 'cpstop ; cpstart'.
  4. To uninstall the hotfix run './EP_R7x_apacheCVE20113192.sh uninstall'

Note: When upgrading Endpoint Security Server, the Apache configuration file will be overwritten. Therefore, this security fix should be applied again, once you have upgraded.

Solution for the IPSO platform

This solution should be applied to all Security Gateway versions on IPSO platform instead of the gateway hotfix. 

   Hotfix for IPSO platform

  • Hotfix applies to the following versions:
    • IPSO 6.2 (any build)
    • IPSO 4.2 MR9 (IPSO-4.2-BUILD111)
  • Hotfix installation instructions for IPSO 6.2:
    1. Download apacheCVE20113192_IPSO6.sh and copy it to the gateway machine
    2. chmod +x apacheCVE20113192_IPSO6.sh
    3. To install the hotfix run './apacheCVE20113192_IPSO6.sh install'
    4. To uninstall the hotfix run './apacheCVE20113192_IPSO6.sh uninstall'
  • Hotfix installation instructions for IPSO 4.2 MR9:
    1. Download apacheCVE20113192_IPSO4.sh and copy it to the gateway machine
    2. Download httpd.CVE20113192 to the same directory
    3. chmod +x apacheCVE20113192_IPSO4.sh
    4. To install the hotfix run './apacheCVE20113192_IPSO4.sh install'.
    5. To uninstall the hotfix run './apacheCVE20113192_IPSO4.sh uninstall'

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment