Check Point response to OpenSSL vulnerability (CVE-2014-0160)

Support Center > Search Results > SecureKnowledge Details

Solution ID	sk100173
Severity	Low
Product	Security Gateway, Security Management, Multi-Domain Management, Data Center Security Appliances, Endpoint Security Server, Endpoint Connect, SSL Network Extender
Version	All
OS	Gaia, Gaia Embedded, SecurePlatform 2.6, SecurePlatform Embedded, IPSO 6.2
Platform / Model	All
Date Created	08-Apr-2014
Last Modified	21-Jul-2018

Symptoms

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Transport Layer Security protocols (TLS/DTLS) Heartbeat Extension packets. As a result, remote attackers could obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys.

Solution

Table of Contents:

Checking the OpenSSL version
Products that are not vulnerable
Affected products
IPS protections
HTTPS Inspection

Click Here to Show Entire Article

Checking the OpenSSL version

Show / Hide instructions

To check the current version of OpenSSL, run this command:

On Gaia OS

[Expert@HostName]# rpm -qa | grep openssl
Example output:
openssl-0.9.8b-8.3cp738000011
On SecurePlatform OS

[Expert@HostName]# rpm -qa | grep openssl
Example output:
openssl-libcrypto-0.9.7a-36cp
On IPSO OS 6
# openssl version

Products that are not vulnerable

The following product lines are not vulnerable (OpenSSL used in these products is not vulnerable):

Security Gateway
Security Management Server
Multi-Domain Security Management Server
Endpoint Security Management Server
Endpoint Connect clients
SSL Network Extender (SNX)
41000 / 61000 Data Center Security Appliances
BlueCoat (legacy Crossbeam) X-Series
21000 Data Center Security Appliances
2000 / 4000 / 12000 / 13500 / 13800 Appliances
Power-1 / UTM-1 / VSX-1 / DDoS / Smart-1 Appliances
IP Series Appliances
600 appliances
1100 appliances
Edge devices
Safe@Office devices

Affected products

Check Point Mobile VPN for iOS - Fixed version 1.356 is available on Apple Store

Related solution: sk69540 - Check Point Mobile VPN application - Layer-3 VPN for Apple iPhone and iPad
Check Point Mobile VPN for Android - Fixed version 1.356 is available on Google Play

Related solution: sk84141 - Check Point Mobile VPN for Android devices

IPS protections

Check Point has issued the relevant IPS updates on April 09, 2014 and April 12, 2014:

Notes:

For more details on these protections, refer to sk100246 - Check Point IPS Protections for OpenSSL Heartbleed vulnerability (CVE 2014-0160).
For Locally Managed 600/1100 appliances with an R75.20-based image, the three IPS protections listed will be availabled starting in the R75.20.60 firmware, without need for an IPS online update.

Description of IPS Protections:

OpenSSL TLS DTLS Heartbeat Information Disclosure
Protection's description on Check Point advisory

How to locate this protection in SmartDashboard:
- SmartDashboard - go 'IPS' tab - expand 'Protections' - expand 'By Type' - expand 'Signatures' - search for OpenSSL TLS DTLS Heartbeat Information Disclosure
- SmartDashboard - go 'IPS' tab - expand 'Protections' - expand 'By Protocol' - expand 'IPS Software Blade' - expand 'Application Intelligence' - expand 'VPN Protocols' - click on 'SSL and TLS' - find OpenSSL TLS DTLS Heartbeat Information Disclosure
OpenSSL TLS DTLS Overly-long Heartbeat Response Information Disclosure
Protection's description on Check Point advisory

How to locate this protection in SmartDashboard:
- SmartDashboard - go 'IPS' tab - expand 'Protections' - expand 'By Type' - expand 'Signatures' - search for OpenSSL TLS DTLS Overly-long Heartbeat Response Information Disclosure
- SmartDashboard - go 'IPS' tab - expand 'Protections' - expand 'By Protocol' - expand 'IPS Software Blade' - expand 'Application Intelligence' - click on 'Web Servers' - find OpenSSL TLS DTLS Overly-long Heartbeat Response Information Disclosure
TLS and DTLS Heartbeat Extension
Protection's description on Check Point advisory

How to locate this protection in SmartDashboard:
- SmartDashboard - go 'IPS' tab - expand 'Protections' - expand 'By Type' - expand 'Application Controls' - search for TLS and DTLS Heartbeat Extension
- SmartDashboard - go 'IPS' tab - expand 'Protections' - expand 'By Protocol' - expand 'IPS Software Blade' - expand 'Application Intelligence' - expand 'VPN Protocols' - click on 'SSL and TLS' - find TLS and DTLS Heartbeat Extension

These protections can be configured to generate a log.

Show / Hide example of SmartView Tracker log

Product = IPS Software Blade
Type = Log
Service = https (443)
Protocol = tcp
Protection Name = OpenSSL TLS DTLS Heartbeat Information Disclosure
Attack = SSL Enforcement Violation
Attack Information = OpenSSL TLS DTLS Heartbeat Information Disclosure
CVE List = CVE-2014-0160 CVE-2014-0346
Protection Type = Signature
Protection ID = asm_dynamic_prop_AMSN20140408_01
Inductry Reference = CVE-2014-0160, CVE-2014-0346

HTTPS Inspection

By applying HTTPS Inspection, Check Point Security Gateway protects from SSL Zero-Day attacks such as "Heartbleed".

Refer to IPS Administration Guide (R75.20 , R75.40 , R75.40VS , R76 , R77) - Chapter 6 'Monitoring Traffic' - 'HTTPS Inspection'.

Applies To:

heartbleed

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating