Support Center > Search Results > SecureKnowledge Details
Check Point response to OpenSSL vulnerability (CVE-2014-0160)
Symptoms
  • The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Transport Layer Security protocols (TLS/DTLS) Heartbeat Extension packets. As a result, remote attackers could obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys.
Solution

Table of Contents:

  • Checking the OpenSSL version
  • Products that are not vulnerable
  • Affected products
  • IPS protections
  • HTTPS Inspection
Click Here to Show Entire Article

 

Checking the OpenSSL version

Show / Hide instructions

To check the current version of OpenSSL, run this command:

  • On Gaia OS

    [Expert@HostName]# rpm -qa | grep openssl

    Example output:
    openssl-0.9.8b-8.3cp738000011

  • On SecurePlatform OS

    [Expert@HostName]# rpm -qa | grep openssl

    Example output:
    openssl-libcrypto-0.9.7a-36cp

  • On IPSO OS 6

    # openssl version

 

Products that are not vulnerable

The following product lines are not vulnerable (OpenSSL used in these products is not vulnerable):

  • Security Gateway
  • Security Management Server
  • Multi-Domain Security Management Server
  • Endpoint Security Management Server
  • Endpoint Connect clients
  • SSL Network Extender (SNX)
  • 41000 / 61000 Data Center Security Appliances
  • BlueCoat (legacy Crossbeam) X-Series
  • 21000 Data Center Security Appliances
  • 2000 / 4000 / 12000 / 13500 / 13800 Appliances
  • Power-1 / UTM-1 / VSX-1 / DDoS / Smart-1 Appliances
  • IP Series Appliances
  • 600 appliances
  • 1100 appliances
  • Edge devices
  • Safe@Office devices

 

Affected products

 

IPS protections

Check Point has issued the relevant IPS updates on April 09, 2014 and April 12, 2014:

Notes:

Description of IPS Protections:

  • OpenSSL TLS DTLS Heartbeat Information Disclosure

    Protection's description on Check Point advisory

    How to locate this protection in SmartDashboard:

    • SmartDashboard - go 'IPS' tab - expand 'Protections' - expand 'By Type' - expand 'Signatures' - search for OpenSSL TLS DTLS Heartbeat Information Disclosure
    • SmartDashboard - go 'IPS' tab - expand 'Protections' - expand 'By Protocol' - expand 'IPS Software Blade' - expand 'Application Intelligence' - expand 'VPN Protocols' - click on 'SSL and TLS' - find OpenSSL TLS DTLS Heartbeat Information Disclosure


  • OpenSSL TLS DTLS Overly-long Heartbeat Response Information Disclosure

    Protection's description on Check Point advisory

    How to locate this protection in SmartDashboard:

    • SmartDashboard - go 'IPS' tab - expand 'Protections' - expand 'By Type' - expand 'Signatures' - search for OpenSSL TLS DTLS Overly-long Heartbeat Response Information Disclosure
    • SmartDashboard - go 'IPS' tab - expand 'Protections' - expand 'By Protocol' - expand 'IPS Software Blade' - expand 'Application Intelligence' - click on 'Web Servers' - find OpenSSL TLS DTLS Overly-long Heartbeat Response Information Disclosure


  • TLS and DTLS Heartbeat Extension

    Protection's description on Check Point advisory

    How to locate this protection in SmartDashboard:

    • SmartDashboard - go 'IPS' tab - expand 'Protections' - expand 'By Type' - expand 'Application Controls' - search for TLS and DTLS Heartbeat Extension
    • SmartDashboard - go 'IPS' tab - expand 'Protections' - expand 'By Protocol' - expand 'IPS Software Blade' - expand 'Application Intelligence' - expand 'VPN Protocols' - click on 'SSL and TLS' - find TLS and DTLS Heartbeat Extension

These protections can be configured to generate a log.

Show / Hide example of SmartView Tracker log

Product = IPS Software Blade
Type = Log
Service = https (443)
Protocol = tcp
Protection Name = OpenSSL TLS DTLS Heartbeat Information Disclosure
Attack = SSL Enforcement Violation
Attack Information = OpenSSL TLS DTLS Heartbeat Information Disclosure
CVE List = CVE-2014-0160 CVE-2014-0346
Protection Type = Signature
Protection ID = asm_dynamic_prop_AMSN20140408_01
Inductry Reference = CVE-2014-0160, CVE-2014-0346

 

HTTPS Inspection

By applying HTTPS Inspection, Check Point Security Gateway protects from SSL Zero-Day attacks such as "Heartbleed".

Refer to IPS Administration Guide (R75.20 , R75.40 , R75.40VS , R76 , R77) - Chapter 6 'Monitoring Traffic' - 'HTTPS Inspection'.

Applies To:
  • heartbleed

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment