Gaia, SecurePlatform 2.6, Linux, Crossbeam XOS, IPSO 6.2, Windows, Solaris
Platform / Model
All
Date Created
06-Jun-2014
Last Modified
26-Nov-2020
Symptoms
The OpenSSL vulnerability that was published on June 5th, 2014 includes multiple attack vectors.
Check Point products are not vulnerable to these, except CVE-2014-0224, which is relevant in specific scenarios described below.
Due to a vulnerability in the handshake implementation of OpenSSL (CVE-2014-0224), a Man-In-The-Middle (MITM) attack can be leveraged to decrypt and modify traffic between a Check Point Security Gateway or Check Point Security Management Server / Multi-Domain Security Management Server and a vulnerable server.
This vulnerability is relevant only in the scenarios described below:
Mobile Access blade - When using Mobile Access Portal to connect to an application server (usually internal server) over an HTTPS connection, an attack can be applied on this HTTPS connection between the Mobile Access Gateway and the application server, to which the gateway connects on behalf of the remote client.
Connections between the Mobile Access Gateway and the application server will usually be within the corporate LAN, which makes MITM attacks less likely.
Mobile Access blade - When DynamicID is used and the SMS provider server is vulnerable, the connection to the SMS provider over HTTPS is vulnerable as well.
When a Check Point Security Gateway or Security Management Server connects over SSL to a vulnerable non-Check Point server: LDAP Account Unit is configured with 'Use Encryption (SSL)' to connect to a vulnerable LDAP server (see sk101372 for more details; Microsoft Domain Controllers are not vulnerable to this CVE), SmartReporter is using "Web Upload" to upload a report to a vulnerable web server, DLP blade is configured with "dynamic dictionary" to download a dictionary from a vulnerable web server, Identity Awareness blade is connected to a vulnerable IF-MAP server as identity source.
Such connections will usually be within the corporate LAN or over site-to-site IPsec VPN, which makes MITM attacks less likely.
Vulnerable versions:
R71 and its sub versions
R75 and its sub versions
R76
R77 GA / R77.10
R77.20 and newer versions are not vulnerable.
Solution
Customers should install the following hotfix on Check Point Security Gateway / Check Point Security Management Server / Check Point Multi-Domain Security Management Server / Check Point SmartReporter Server / UTM-1 Edge appliance / Safe@Office appliance.
Note: Hotfix has to be installed on Security Gateway / Security Management Server / Multi-Domain Security Management Server / SmartReporter Server.
In Gaia Portal:
Important Note for VSX mode: Gaia Portal is not supported on Security Gateway in VSX mode. Users must use the Clish.
Connect to the Gaia Portal on your machine.
Obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out').
Navigate to the 'Software Updates' - 'Status and Actions' pane.
Go to the 'Updates' tab to see the published hotfixes available for download.
Select the Check_Point_Hotfix_VERSION_sk101186.tgz package - right-click on it - click on 'Download' (this will download the hotfix to your machine).
Right-click on the Check_Point_Hotfix_VERSION_sk101186.tgz package - click on 'Install' (this will install the hotfix on the machine and display the installation status).
When prompted for reboot (a pop up window appears), confirm to reboot the machine.
In Clish:
Important Note for VSX mode: Gaia Portal is not supported on Security Gateway in VSX mode. Users must use the Clish.
Connect to Gaia command line (over SSH, or console).
Note: The OpenSSL version inside the firmware was not replaced. As a result, any tool that bases its verdict solely on the OpenSSL version would give a false positive. The following web-site can be used to test the firmware: