Gaia, SecurePlatform 2.6, Linux, Crossbeam XOS, IPSO 6.2, Windows, Solaris
Platform / Model
The OpenSSL vulnerability that was published on June 5th, 2014 includes multiple attack vectors.
Check Point products are not vulnerable to these, except CVE-2014-0224, which is relevant in specific scenarios described below.
Due to a vulnerability in the handshake implementation of OpenSSL (CVE-2014-0224), a Man-In-The-Middle (MITM) attack can be leveraged to decrypt and modify traffic between a Check Point Security Gateway or Check Point Security Management Server / Multi-Domain Security Management Server and a vulnerable server.
This vulnerability is relevant only in the scenarios described below:
Mobile Access blade - When using Mobile Access Portal to connect to an application server (usually internal server) over an HTTPS connection, an attack can be applied on this HTTPS connection between the Mobile Access Gateway and the application server, to which the gateway connects on behalf of the remote client.
Connections between the Mobile Access Gateway and the application server will usually be within the corporate LAN, which makes MITM attacks less likely.
Mobile Access blade - When DynamicID is used and the SMS provider server is vulnerable, the connection to the SMS provider over HTTPS is vulnerable as well.
When a Check Point Security Gateway or Security Management Server connects over SSL to a vulnerable non-Check Point server: LDAP Account Unit is configured with 'Use Encryption (SSL)' to connect to a vulnerable LDAP server (see sk101372 for more details; Microsoft Domain Controllers are not vulnerable to this CVE), SmartReporter is using "Web Upload" to upload a report to a vulnerable web server, DLP blade is configured with "dynamic dictionary" to download a dictionary from a vulnerable web server, Identity Awareness blade is connected to a vulnerable IF-MAP server as identity source.
Such connections will usually be within the corporate LAN or over site-to-site IPsec VPN, which makes MITM attacks less likely.
R71 and its sub versions
R75 and its sub versions
R77 GA / R77.10
R77.20 and newer versions are not vulnerable.
Customers should install the following hotfix on Check Point Security Gateway / Check Point Security Management Server / Check Point Multi-Domain Security Management Server / Check Point SmartReporter Server / UTM-1 Edge appliance / Safe@Office appliance.
Note: The OpenSSL version inside the firmware was not replaced. As a result, any tool that bases its verdict solely on the OpenSSL version would give a false positive. The following web-site can be used to test the firmware: