Check Point response to OpenSSL vulnerability (CVE-2014-0160)

Support Center > Search Results > SecureKnowledge Details

Solution ID	sk100173
Severity	Low
Product	Security Gateway, Security Management, Multi-Domain Management / Provider-1, Data Center Security Appliances, Endpoint Security Server, Endpoint Connect, SSL Network Extender
Version	All
OS	Gaia, Gaia Embedded, SecurePlatform 2.6, SecurePlatform Embedded, IPSO 6.2
Platform / Model	All
Date Created	2014-04-08 00:00:00.0
Last Modified	2018-07-21 23:58:41.0

Symptoms

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Transport Layer Security protocols (TLS/DTLS) Heartbeat Extension packets. As a result, remote attackers could obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys.

Solution

Table of Contents:

Checking the OpenSSL version
Products that are not vulnerable
Affected products
IPS protections
HTTPS Inspection

Click Here to Show Entire Article

Checking the OpenSSL version

Show / Hide instructions

To check the current version of OpenSSL, run this command:

On Gaia OS

[Expert@HostName]# rpm -qa | grep openssl
Example output:
openssl-0.9.8b-8.3cp738000011
On SecurePlatform OS

[Expert@HostName]# rpm -qa | grep openssl
Example output:
openssl-libcrypto-0.9.7a-36cp
On IPSO OS 6
# openssl version

Products that are not vulnerable

The following product lines are not vulnerable (OpenSSL used in these products is not vulnerable):

Security Gateway
Security Management Server
Multi-Domain Security Management Server
Endpoint Security Management Server
Endpoint Connect clients
SSL Network Extender (SNX)
41000 / 61000 Data Center Security Appliances
BlueCoat (legacy Crossbeam) X-Series
21000 Data Center Security Appliances
2000 / 4000 / 12000 / 13500 / 13800 Appliances
Power-1 / UTM-1 / VSX-1 / DDoS / Smart-1 Appliances
IP Series Appliances
600 appliances
1100 appliances
Edge devices
Safe@Office devices

Affected products

Check Point Mobile VPN for iOS - Fixed version 1.356 is available on Apple Store

Related solution: sk69540 - Check Point Mobile VPN application - Layer-3 VPN for Apple iPhone and iPad
Check Point Mobile VPN for Android - Fixed version 1.356 is available on Google Play

Related solution: sk84141 - Check Point Mobile VPN for Android devices

IPS protections

Check Point has issued the relevant IPS updates on April 09, 2014 and April 12, 2014:

Notes:

For more details on these protections, refer to sk100246 - Check Point IPS Protections for OpenSSL Heartbleed vulnerability (CVE 2014-0160).
For Locally Managed 600/1100 appliances with an R75.20-based image, the three IPS protections listed will be availabled starting in the R75.20.60 firmware, without need for an IPS online update.

Description of IPS Protections:

OpenSSL TLS DTLS Heartbeat Information Disclosure
Protection's description on Check Point advisory

How to locate this protection in SmartDashboard:
- SmartDashboard - go 'IPS' tab - expand 'Protections' - expand 'By Type' - expand 'Signatures' - search for OpenSSL TLS DTLS Heartbeat Information Disclosure
- SmartDashboard - go 'IPS' tab - expand 'Protections' - expand 'By Protocol' - expand 'IPS Software Blade' - expand 'Application Intelligence' - expand 'VPN Protocols' - click on 'SSL and TLS' - find OpenSSL TLS DTLS Heartbeat Information Disclosure
OpenSSL TLS DTLS Overly-long Heartbeat Response Information Disclosure
Protection's description on Check Point advisory

How to locate this protection in SmartDashboard:
- SmartDashboard - go 'IPS' tab - expand 'Protections' - expand 'By Type' - expand 'Signatures' - search for OpenSSL TLS DTLS Overly-long Heartbeat Response Information Disclosure
- SmartDashboard - go 'IPS' tab - expand 'Protections' - expand 'By Protocol' - expand 'IPS Software Blade' - expand 'Application Intelligence' - click on 'Web Servers' - find OpenSSL TLS DTLS Overly-long Heartbeat Response Information Disclosure
TLS and DTLS Heartbeat Extension
Protection's description on Check Point advisory

How to locate this protection in SmartDashboard:
- SmartDashboard - go 'IPS' tab - expand 'Protections' - expand 'By Type' - expand 'Application Controls' - search for TLS and DTLS Heartbeat Extension
- SmartDashboard - go 'IPS' tab - expand 'Protections' - expand 'By Protocol' - expand 'IPS Software Blade' - expand 'Application Intelligence' - expand 'VPN Protocols' - click on 'SSL and TLS' - find TLS and DTLS Heartbeat Extension

These protections can be configured to generate a log.

Show / Hide example of SmartView Tracker log

Product = IPS Software Blade
Type = Log
Service = https (443)
Protocol = tcp
Protection Name = OpenSSL TLS DTLS Heartbeat Information Disclosure
Attack = SSL Enforcement Violation
Attack Information = OpenSSL TLS DTLS Heartbeat Information Disclosure
CVE List = CVE-2014-0160 CVE-2014-0346
Protection Type = Signature
Protection ID = asm_dynamic_prop_AMSN20140408_01
Inductry Reference = CVE-2014-0160, CVE-2014-0346

HTTPS Inspection

By applying HTTPS Inspection, Check Point Security Gateway protects from SSL Zero-Day attacks such as "Heartbleed".

Refer to IPS Administration Guide (R75.20 , R75.40 , R75.40VS , R76 , R77) - Chapter 6 'Monitoring Traffic' - 'HTTPS Inspection'.

Applies To:

heartbleed

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating

THREAT INTELLIGENCE

UNDER ATTACK?

RISK ASSESSMENT

Chat

Phone

Locations

Community

SOLUTIONS FOR...

PRODUCT ARCHITECTURE

PRODUCTS

NEXT GENERATION THREAT PREVENTION

MOBILE SECURITY

ENDPOINT SECURITY

NEXT GENERATION FIREWALLS

SECURITY MANAGEMENT

INDUSTRIES

ARCHITECTURE

SUPPORT CENTER

SUPPORT PROGRAMS

SECURITY SERVICES

KNOWLEDGE AND EDUCATION

PROFESSIONAL SERVICES

CHANNEL PARTNERS

TECHNOLOGY PARTNERS

PARTNER PORTAL

COMPANY OVERVIEW

NEWS & MEDIA

EVENTS

CAREERS

Checking the OpenSSL version

Products that are not vulnerable

Affected products

IPS protections

HTTPS Inspection