SSL/TLS MITM vulnerability (CVE-2014-0224)

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk101186
Technical Level
Severity	Low
Product	Quantum Security Gateways, Quantum Security Management, Multi-Domain Security Management, IPSec VPN, Data Loss Prevention, Mobile Access / SSL VPN, Identity Awareness, SmartReporter, Edge, Safe@Office
Version	R71 (EOL), R75 (EOL), R75.10 (EOL), R75.20 (EOL), R75.30 (EOL), R75.40 (EOL), R75.40VS (EOL), R75.45 (EOL), R75.46 (EOL), R75.47 (EOL), R76 (EOL), R77 (EOL), R77.10 (EOL)
OS	Gaia, SecurePlatform 2.6, Linux, Crossbeam XOS, IPSO 6.2, Windows, Solaris
Platform / Model	All
Date Created	06-Jun-2014
Last Modified	26-Nov-2020

Symptoms

The OpenSSL vulnerability that was published on June 5th, 2014 includes multiple attack vectors.
Check Point products are not vulnerable to these, except CVE-2014-0224, which is relevant in specific scenarios described below.
Due to a vulnerability in the handshake implementation of OpenSSL (CVE-2014-0224), a Man-In-The-Middle (MITM) attack can be leveraged to decrypt and modify traffic between a Check Point Security Gateway or Check Point Security Management Server / Multi-Domain Security Management Server and a vulnerable server.
This vulnerability is relevant only in the scenarios described below:
- Mobile Access blade - When using Mobile Access Portal to connect to an application server (usually internal server) over an HTTPS connection, an attack can be applied on this HTTPS connection between the Mobile Access Gateway and the application server, to which the gateway connects on behalf of the remote client.
  Connections between the Mobile Access Gateway and the application server will usually be within the corporate LAN, which makes MITM attacks less likely.
- Mobile Access blade - When DynamicID is used and the SMS provider server is vulnerable, the connection to the SMS provider over HTTPS is vulnerable as well.
- When a Check Point Security Gateway or Security Management Server connects over SSL to a vulnerable non-Check Point server: LDAP Account Unit is configured with 'Use Encryption (SSL)' to connect to a vulnerable LDAP server (see sk101372 for more details; Microsoft Domain Controllers are not vulnerable to this CVE), SmartReporter is using "Web Upload" to upload a report to a vulnerable web server, DLP blade is configured with "dynamic dictionary" to download a dictionary from a vulnerable web server, Identity Awareness blade is connected to a vulnerable IF-MAP server as identity source.
  Such connections will usually be within the corporate LAN or over site-to-site IPsec VPN, which makes MITM attacks less likely.
Vulnerable versions:
- R71 and its sub versions
- R75 and its sub versions
- R76
- R77 GA / R77.10
R77.20 and newer versions are not vulnerable.

Solution

Customers should install the following hotfix on Check Point Security Gateway / Check Point Security Management Server / Check Point Multi-Domain Security Management Server / Check Point SmartReporter Server / UTM-1 Edge appliance / Safe@Office appliance.

Important Note: On June 09, 2014 Check Point released an IPS signature for this CVE.

Click Here to Show Entire Article

Notes:

In cluster environment, this procedure must be performed on all members of the cluster.
In Management HA environment, this procedure must be performed on both Management Servers.
On Solaris OS, only these versions of Security Management Server / Multi-Domain Security Management Server are affected:
- R71 and its sub versions
- R75 and its sub versions

Procedure:

Show / Hide hotfix installation instructions - Gaia OS using CPUSE (Check Point Update Service Engine)
We recommend using CPUSE to install this hotfix.

Note: Hotfix has to be installed on Security Gateway / Security Management Server / Multi-Domain Security Management Server / SmartReporter Server.
- In Gaia Portal:
  
  Important Note for VSX mode: Gaia Portal is not supported on Security Gateway in VSX mode. Users must use the Clish.
  1. Connect to the Gaia Portal on your machine.
  2. Obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out').
  3. Navigate to the 'Software Updates' - 'Status and Actions' pane.
  4. Go to the 'Updates' tab to see the published hotfixes available for download.
  5. Select the Check_Point_Hotfix_VERSION_sk101186.tgz package - right-click on it - click on 'Download' (this will download the hotfix to your machine).
  6. Right-click on the Check_Point_Hotfix_VERSION_sk101186.tgz package - click on 'Install' (this will install the hotfix on the machine and display the installation status).
  7. When prompted for reboot (a pop up window appears), confirm to reboot the machine.
- In Clish:
  
  Important Note for VSX mode: Gaia Portal is not supported on Security Gateway in VSX mode. Users must use the Clish.
  1. Connect to Gaia command line (over SSH, or console).
  2. Log in to Clish shell.
  3. See the list of available packages for download:
    HostName> show installer available_packages
  4. Download this hotfix:
    HostName> installer download Check_Point_Hotfix_VERSION_sk101186.tgz
  5. Check the download progress by repeatedly running this command:
    HostName> show installer package_status
    Outputs for example:
    Check_Point_Hotfix_R77.10_sk101186.tgz - Downloading (2.95 MB/s) - Progress: 6% Check_Point_Hotfix_R77.10_sk101186.tgz - Available for install
  6. See the list of available packages for install:
    HostName> show installer available_local_packages
  7. Install this hotfix:
    HostName> installer install Check_Point_Hotfix_VERSION_sk101186.tgz
  8. Check the installation progress by repeatedly running this command:
    HostName> show installer package_status
    Outputs for example:
    Check_Point_Hotfix_R77.10_sk101186.tgz - Installing - Progress: 3% Check_Point_Hotfix_R77.10_sk101186.tgz - installed
  9. Machine will be rebooted automatically.
Contact Check Point Support for any assistance.
Show / Hide hotfix installation instructions - Gaia / SecurePlatform / Linux OS (manual installation in Command Line)
Contact Check Point Support for any assistance.
1. Hotfix has to be installed on Security Gateway / Security Management Server / Multi-Domain Security Management Server / SmartReporter Server.
2. Download the relevant hotfix package:
  
  Note: In order to download these packages you will need to have a Software Subscription or Active Support plan.
  
  Platform R75.47 R76 R77 R77.10
  
  Gaia OS,
  SecurePlatform OS,
  Linux OS (TGZ) (TGZ) (TGZ) (TGZ)
  
  For fixes on top of other affected versions, contact Check Point Support.
3. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).
4. Unpack the hotfix package
  [Expert@HostName]# cd /some_path_to_fix/
  [Expert@HostName]# tar zxvf Check_Point_Hotfix_VERSION_sk101186.tgz
5. Install the hotfix:
  [Expert@HostName]# ./fw1_wrapper_HOTFIX_NAME
  
  Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
6. Reboot the machine.
Show / Hide hotfix installation instructions - IPSO OS
Contact Check Point Support for any assistance.
1. Hotfix has to be installed on Security Gateway / Security Management Server.
2. Download the relevant hotfix package:
  
  Note: In order to download these packages you will need to have a Software Subscription or Active Support plan.
  
  Platform R75.47 R76 R77 R77.10
  
  IPSO OS (TGZ) (TGZ) (TGZ) (TGZ)
  
  For fixes on top of other affected versions, contact Check Point Support.
3. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).
4. Unpack the hotfix package
  [Expert@HostName]# cd /some_path_to_fix/
  [Expert@HostName]# tar zxvf Check_Point_Hotfix_VERSION_sk101186.tgz
5. Install the hotfix:
  [Expert@HostName]# ./fw1_wrapper_HOTFIX_NAME
  
  Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
6. Reboot the machine.
Show / Hide hotfix installation instructions - Windows OS
Contact Check Point Support for any assistance.
1. Hotfix has to be installed on Security Gateway / Security Management Server / SmartReporter Server.
2. Download the relevant hotfix package:
  
  Note: In order to download these packages you will need to have a Software Subscription or Active Support plan.
  
  Platform R75.47 R76 R77 R77.10
  
  Windows OS (TGZ) (TGZ) (TGZ) (TGZ)
  
  For fixes on top of other affected versions, contact Check Point Support.
3. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).
4. Install the hotfix:
  1. Use any archive program (WinZIP, WinRAR, 7-Zip, TUGZip, IZArc) to unpack the Check_Point_Hotfix_VERSION_Win_sk100431.tgz file.
  2. Open the Disk_Images folder.
  3. Open the Disk1 folder.
  4. Right-click on the setup.exe file - click on 'Run as administrator'.
    Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
5. Reboot the machine.
Show / Hide hotfix installation instructions - Solaris OS
Contact Check Point Support for any assistance.
1. Hotfix has to be installed on Security Management Server / Multi-Domain Security Management Server.
2. Contact Check Point Support to get a Hotfix for this issue.
3. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).
4. Unpack the hotfix package
  # cd /some_path_to_fix/
  # tar -zxvf Check_Point_Hotfix_VERSION_sk101186.tgz
5. Install the hotfix:
  # ./fw1_wrapper_HOTFIX_NAME
  
  Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
6. Reboot the machine.

Show / Hide hotfix installation instructions - UTM-1 Edge / Safe@Office

Contact Check Point Support for any assistance.

Firmware images:

Platform	DSL and Industrial (GUI)	DSL and Industrial (TFTP)	X and W (GUI)	X and W (TFTP)	N series (GUI)	N series (TFTP)
UTM-1 Edge, Safe@Office	(TGZ)	(FIRM)	(TGZ)	(TFTP)	(TGZ)	(FIRM)

LIBSW files - refer to sk31448 - What are LIBSW files on Management Server:

Platform	Link
Gaia OS, SecurePlatform OS, Linux OS, Solaris OS	(TAR)
Windows OS	(ZIP)

Note: The OpenSSL version inside the firmware was not replaced. As a result, any tool that bases its verdict solely on the OpenSSL version would give a false positive. The following web-site can be used to test the firmware:

http://ccsbug.exposed/
http://www.tripwire.com/state-of-security/incident-detection/detection-script-for-cve-2014-0224-openssl-cipher-change-spec-injection/

Related solutions:

sk92447 - Status of OpenSSL CVEs

Applies To:

01420639 , 01421173 , 01420746 , 01420750 , 01420751 , 01420765 , 01420836 , 01420926 , 01421030 , 01421038 , 01421180 , 01421184 , 01421353 , 01421654 , 01423089 , 01424154 , 01424411 , 01424421 , 01425141 , 01426268 , 01427980 , 01428212 , 01429615 , 01431726 , 01432490 , 01432522 , 01432564 , 01433782 , 01443840 , 01453223 , 01472896 , 01474422 , 01496331 , 01498293 , 01502254 , 01515432 , 01522594 , 01536912 , 01537280

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating