The solution described in this article is relevant to the following CVEs:

• CVE-2014-6271
• CVE-2014-7169
• CVE-2014-7187
• CVE-2014-7186
• CVE-2014-6277
• CVE-2014-6278

 

Table of Contents:

1. Background
2. IPS protection
3. OS Level protection
4. Hotfix packages
5. Frequently Asked Questions

 

(I) Background

The US-CERT has issued Shellshock as a critical vulnerability affecting Linux/UNIX operating systems and Apple's MAC OS X. According to the US-CERT, if exploited, this vulnerability gives attackers the ability to remotely execute shell commands by attaching malicious code in environment variables used by the operating system.

For more information about the Shellshock exploit and how to protect against it, please go to:
http://www.checkpoint.com/blog/protecting-shellshock/

In order to protect your Security Gateway, follow the procedure described under "Hotfix packages" below. In addition, customers with enabled IPS blade should follow the procedure described in the "IPS protection" section below, for internal-server protection.

 

(II) IPS protection

Check Point released "GNU Bash Remote Code Execution" IPS protection that protects customer environments.
This protection enables organizations to add a layer of protection to their network while updating their systems with vendor-provided patches.

1. CVEs

   The IPS protection covers the following CVEs:

   • CVE-2014-6271
   • CVE-2014-7169
   • CVE-2014-6277
   • CVE-2014-6278
   • CVE-2014-7187
   • CVE-2014-7186
   
   
   

2. How can IPS best protect my environment?

   Step 1

   Enable the "GNU Bash Remote Code Execution" IPS protection in Prevent mode (right-click on this protection, click on 'Prevent on All Profiles', and install policy).

   Step 2

   Blocking one of the attack vectors requires additional functionality to be activated on the Security Gateway.

   • For versions R77.10 and R77.20

     Activate 'ws_non_http_ctx_enabled' context on the Security Gateway (see instructions below).

     1. To activate the 'ws_non_http_ctx_enabled' context on-the-fly:

        • To activate, run the following command in Expert mode:
          [Expert@HostName]# fw ctl set int ws_non_http_ctx_enabled 1
          Note: No need to install policy.
          
          
        • To disable, run the following command in Expert mode:
          [Expert@HostName]# fw ctl set int ws_non_http_ctx_enabled 0
          Note: No need to install policy.
          
          
        • To check the current status, run the following command in Expert mode:
          [Expert@HostName]# fw ctl get int ws_non_http_ctx_enabled
        
        
        

     2. To activate the 'ws_non_http_ctx_enabled' context permanently (to survive reboot):

        1. Create the file $FWDIR/boot/modules/fwkern.conf (if it does not already exist).
        2. Add the following line using Vi editor (spaces are not allowed):
           ws_non_http_ctx_enabled=1
        3. Reboot Security Gateway.
        
        To disable, delete the above line from the fwkern.conf file and reboot Security Gateway.
     
     
     

   • For versions R75.40VS, R76 and R77

     Upgrade to R77.10 or a higher version and follow the corresponding steps above.
     
     

   • For version R75.47

     See sk102833 for a hotfix that activates 'ws_non_http_ctx_enabled' on R75.47 Security Gateway.
     
     

   • For versions R75.40, R75.45, R75.46

     • Either upgrade to R75.47 once the Hotfix for R75.47 is released (see above).
     • Or upgrade to R77.10 or a higher version and follow the corresponding steps above.
     
     
     

   • For versions R70.X, R71.X, R75, R75.10, R75.20 and R75.30

     The attack vector is covered by the "Non Compliant HTTP" IPS protection, which is activated as part of the Recommended_Protection Profile.
     Please enable this IPS protection in Prevent mode (if it is not already enabled in your environment).
     
     

   • For other versions

     Please contact Check Point Support.

 

(III) OS Level protection

1. HTTP

   Regardless of the current vulnerability and as a general best practice, Check Point recommends that customers only allow access to their system admin portals (Admin WebUI) via secure networks. In such scenarios, Check Point systems are not vulnerable to the announced exploit.

   Most Check Point portals are not vulnerable to the Shellshock exploit. Specifically the following are not vulnerable:

   • Mobile Access
   • Identity Awareness Portal
   • User Check
   • All Remote Access Portal for Mobile Access Blade
   • IPSec VPN
   • SNX
   • LOM Portal

2. DHCP Client

   As a general best practice, Check Point recommends that customers who use their Security Gateway as a DHCP Client perform the following:

   1. Patch the organization DHCP server following the RedHat instructions.
   2. Limit the Security Gateway to accept DHCP packets only from trusted DHCP Servers.

 

(IV) Hotfix packages

This problem was fixed. The fix is included in:

• Check Point R77.30

• Check Point R80

Check Point recommends to always upgrade to the most recent version (upgrade Security Gateway / upgrade Cluster / upgrade VSX / upgrade Security Management Server / upgrade Multi-Domain Security Management Server).

A Hotfix package is currently available for R75, R75.10, R75.20, R75.30, R75.40, R75.40VS, R75.45, R75.46, R75.47, R76, R77, R77.10, and R77.20.

This Hotfix package is relevant to the main appliances lines: 2012 models, Smart-1, Threat Emulation, UTM-1, Power-1. For other appliances, see the relevant section below.

 

 

• Hotfix package for R75.40, R75.40VS, R75.45, R75.46, R75.47, R76, R77, R77.10, R77.20 - Gaia OS using CPUSE (Check Point Update Service Engine)
  
  

  1. Connect to the Gaia Portal on your machine and navigate to 'Software Updates' pane.
  2. Select the Check_Point_Hotfix_VERSION_sk102673.tgz package and click 'Install' to install the hotfix.

  Notes:

  • For detailed installation instructions, refer to sk92449: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE".
  • Make sure to take a snapshot of your Check Point machine before installing this hotfix.
  • Hotfix has to be installed on all machines running Gaia OS.
  • In cluster environment, this procedure must be performed on all members of the cluster.
  • In Management HA environment, this procedure must be performed on both Management Servers.

  
  
  
• Hotfix package for all versions - Gaia / SecurePlatform OS (manual installation in Command Line)
  
  

  1. Hotfix has to be installed on all machines running Gaia / SecurePlatform OS.
  2. Download the relevant hotfix package from the table below, transfer the hotfix package to the machine and unpack it:
     [Expert@HostName]# tar -zxvf Check_Point_Hotfix_VERSION_OS_sk102673.tgz
  3. Install the hotfix:
     [Expert@HostName]# ./SecurePlatform_HOTFIX_NAME
     Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
  4. Start Check Point services (reboot is not required):
     [Expert@HostName]# cpstart
     (In MDS environments: [Expert@HostName]# mdsstart)
  5. Log out from all shells.

  Notes:

  • Make sure to take a snapshot of your Check Point machine before installing this hotfix.
  • In cluster environment, this procedure must be performed on all members of the cluster.
  • In Management HA environment, this procedure must be performed on both Management Servers.

  In order to download these packages you will need to have a Software Subscription or Active Support plan.

  Click here to see the available downloads.

   

  Platform	R75.40	R75.40VS	R75.45	R75.46	R75.47	R76	R77	R77.10	R77.20
  Gaia	(TGZ)	(TGZ)	(TGZ)	(TGZ)	(TGZ)	(TGZ)	(TGZ)	(TGZ)	(TGZ)
  SecurePlatform	(TGZ)	(TGZ)	(TGZ)	(TGZ)	(TGZ)	(TGZ)	(TGZ)	(TGZ)	(TGZ)

  
  
  

  Platform	R75	R75.10	R75.20	R75.30
  SecurePlatform	(TGZ)	(TGZ)	(TGZ)	(TGZ)

  
  
  

  • On SecurePlatform OS for R65, R70.x, and R71.x versions:

    1. Download the RPM file "bash_R65_R70x_R71x_SPLAT.rpm" from here.
       
       
    2. To install the RPM run:
       [Expert@HostName]# rpm -Uhv bash_R65_R70x_R71x_SPLAT.rpm
       
       
    3. Log out from all shells.
    
    Note: This rpm package covers both Security Gateway and VSX installations.
    
    

  • On SecurePlatform OS for VSX R67.10 version:

    1. Download the RPM file "bash_R67_10_SPLAT.rpm" from here.
       
       
    2. To install the RPM run:
       [Expert@HostName]# rpm -Uhv bash_R67_10_SPLAT.rpm
       
       
    3. Log out from all shells.

  
  
  
• Hotfix for IPSO 6.2
  
  

  Note: This fix is already integrated into IPSO 6.2 MR5 (Build GA100) image.

  • Instructions for Disk-based IPSO 6.2 systems:

    1. Download the TGZ package with improved Bash shell binary file and transfer it to IPSO OS: 

       IPSO 6.2	Link
       MR4/MR4a	(TGZ)
       MR1/MR2/MR3	(TGZ)

       
       
       
    2. Connect to IPSO OS over SSH as 'admin', transfer the TGZ package to /var/emhome/admin/ directory and unpack it in that location:
       HostName[admin]# scp Check_Point_IPSO6.2_VERSION_bash.tgz  /var/emhome/admin
HostName[admin]# tar -zxvf Check_Point_IPSO-6.2_VERSION_bash.tgz
       
       
    3. Mount the root file system as read/write:
       HostName[admin]# mount -uw /
       
       
    4. Backup the original Bash shell binary file:
       HostName[admin]# cp /bin/bash  /bin/bash_ORIGINAL
       
       
    5. Verify MD5 of the improved Bash shell binary file. If the MD5 is correct, copy the file to the destination directory:
       1. HostName[admin]# md5 /var/emhome/admin/Check_Point_IPSO6.2_VERSION_bash/bin/bash
          For IPSO MR4 - 7f14cbc1fa4a8fb35efcb7e0bc64cafd
          For IPSO MR1, MR2, MR3 - 209fa8e6ddd1600b25704f99ed3434fc
       2. HostName[admin]# mv /var/emhome/admin/Check_Point_IPSO6.2_VERSION_bash/bin/bash  /bin/bash
       
       
       
    6. Crucial step: Assign the required permissions and ownership:
       HostName[admin]# chmod 755 /bin/bash
HostName[admin]# chown root:wheel /bin/bash
       
       
    7. Mount the root file system as read-only again:
       HostName[admin]# mount -ur /
       
       
    8. Log out from all shells.
    
    
    

  • Instructions for Flash Based (Diskless) IPSO 6.2 systems:

    Download the relevant IPSO image with improved Bash shell to your Windows computer. Unpack the ZIP file. Copy the IPSO image (ipso-6.2.tgz) to an FTP server or to the appliance to be upgraded.

    Important Note: sk102989 - Check Point response to the POODLE Bites vulnerability (CVE-2014-3566) offers new IPSO 6.2 images that resolve both issues - the "CVE-2014-3566 POODLE Bites vulnerability" and the "CVE-2014-6271 and CVE-2014-7169 Bash Code Injection vulnerability".

    IPSO 6.2	Link
    MR4a	(ZIP)
    MR3a2	(ZIP)
    MR2a	(ZIP)

    To install:

    1. Login as admin, and make sure that you are in /var/emhome/admin directory (run 'pwd' command).
       
       
    2. Run newimage -ik
       Note: If you add a new version of IPSO by using the newimage command and the "-k" (keep) option, your previous packages are active with the new IPSO version.
       
       
    3. Specify where the ipso-6.2.tgz image for IPSO 6.2 is located, selecting one of the following options:
       Install from FTP server with user and password (You will be prompted for FTP server location and credentials)
       or
       Install from local filesystem (You will be prompted for pathname to the packages, or enter "." for the current directory).
       
       
    4. Enter the name of the ipso-6.2.tgz package, and press 'Enter'.
       
       
    5. After the upgrade process completes, choose the image to run:
       Choose 'Newly Installed' image.
       
       
    6. Reboot the machine by typing reboot at the prompt.
       
       
    7. Verify the current image. Type uname -a. The output will contain the following strings:
       MR4a: 6.2-GAMR4A202
       MR3a2: 6.2-GAMR3A302
       MR2a: 6.2-GAMR2A01
    
    
    

  • Instructions for IPSO 4.2 systems:

    The IPSO 4.2 releases did not include the Bash shell, and therefore are not vulnerable.

  
  
  
• Additional appliances (61000/41000 Security Systems, 600 / 1100 appliances, Security Gateway 80, Edge / Safe@Office devices, X-Series)
  
  

  • 61000 / 41000 Security Systems (Gaia OS)

    • Releases for 61000 / 41000 Security Systems are not vulnerable to CVE-2014-6271 (Bash Vulnerability) because they do not provide any web UI. However, to have the same level of protection on all machines in the environment, the fix for CVE-2014-6271 (Bash Vulnerability) was integrated into sk103121 - Data Center Security Appliances R76SP.10 - Jumbo Hotfix Accumulator.
    
    
    

  • 600 / 1100 / Security Gateway 80 appliances (Gaia Embedded OS)

    1. Download R75.20 HFA66.
       
       Note: For appliances running R75.20.50 firmware version and managed by Check Point Cloud service, download R75.20.51.
       
       
    2. Perform an upgrade using the Appliance's WebUI.

    Note:

    • To uninstall the improved firmware: go to 'Device' tab - go to 'System' section - click on 'System Operations' - click on the 'Revert to Previous image' button.
      For detailed instructions, refer to Check Point 600 Appliance Admin Guide (page 43), and to Check Point 1100 Appliance Admin Guide (page 69).
    
    
    

  • Edge / Safe@Office devices

    These devices are not vulnerable according to the known use cases.
    
    

  • X-Series Appliances (Blue Coat)

    A fix for R77.20, R77.10, R77, R76, R75.40VS is available for X-series appliances.
    Note: This fix is suitable for VSX R67 and VSX R68 as well. However, Check Point recommends upgrading to the latest supported version.

    VSX Mode

    1. Download the RPM file:

       APM	CPM
       R75.40VS, R76, R77	R70-R77

    2. Install the RPM file:

       • CPM

         1. Follow the instructions in Updating Bash on the X-Series Platform document to upgrade the CPM package.
         
         
         

       • APM (VAP groups update)

         1. Transfer the RPM file to CPM - into the /tftpboot/<vap_group_name>_common/tmp directory.
         2. For each VAP in a VAP group:
            
            1. Connect to the VAP using the 'rsh' command.
            2. Install the RPM:
               # rpm -Fvh /<vap_group_name>_common/tmp/bash-3.1-16.1.738000005cp.i386.rpm
            3. Verify that the RPM was installed:
               # rpm -qa | grep bash
               The output should be "bash-3.1-16.1.738000005cp"
         3. Log out from all shells.

     

    Non-VSX Mode

    1. Download the RPM file:

       APM and CPM

       R70 - R77

       
       
       
    2. Follow the instructions in Updating Bash on the X-Series Platform document (under "Updating Bash RPMs on X-Series CPMs and VAP Groups" section).
    
    For more information about BlueCoat X-Series Appliances, refer to Blue Coat Security Advisory SA82.

 

(V) Frequently Asked Questions

• Is a reboot required after the installation of this hotfix?
  

  Although "don't forget to reboot" message may appear at the end of the hotfix installation, reboot is not required for this hotfix. Running cpstart command (or mdsstart command on Multi-Domain Security Management Server) as described in the installation instructions is sufficient.

  
  
  
• The Check Point version of my Security Gateway / Security Management Server is not mentioned in this solution. What should I do?
  

  Check Point recommends upgrading to the latest supported version. Please refer to the Check Point Software Support timeline:
  http://www.checkpoint.com/support-programs-and-plans/check-point-software-support-timeline/index.html

  For further information, please contact Check Point Support.

  
  
  
• The early access solution fix from this article is already installed. Do I need to install the hotfix packages?
  

  Installing the Early Availability solution is sufficient to protect your system against CVE-2014-6271 and CVE-2014-7169.
  Check Point recommends to install the latest hotfix package available.

  
  
  
• How is Check Point fix related to RedHat patches?
  

  Check Point recommends to install this fix in order to protect against the vulnerabilities described. Check Point is also monitoring the patches released by RedHat and will align with the formal RedHat patch once it is fully released and verified.

  
  
  
• Why I may get "vulnerable" output while running vulnerability test commands for CVE-2014-7187 and CVE-2014-7186?
  

  As currently new CVEs for the bash parser behavior are discovered on a daily basis Check Point decided to block this vulnerability by not allowing calling functions from environment variables at all as this functionality is not required on Check Point systems.
  
  Since we chose this approach, the vulnerability seems to be still valid when testing it by running direct bash commands from expert mode, however, it cannot be exploited without access to expert mode that requires two authentications (user account and then expert mode).
  
  As users with access to expert mode are already privileged users, this should not be a concern for administrators.

  
  
  
• I am getting a "Conflict with hotfix SHELLSHOCK" error message when upgrading to R77.10 or R77.20. What should I do?
  

  Refer to sk102968.

  
  
  
• After installing the Hotfix provided by Check Point, I am testing to verify if my system is still vulnerable to this attack and on some of the tests the results still indicate I am vulnerable. How can this be?
  

  As currently new CVEs for the bash behavior are discovered frequently, Check Point decided to block this vulnerability by not allowing calling functions from environment variables at all as this functionality is not required on Check Point systems.
  Since Check Point chose this approach, the vulnerability seems to be still valid when testing it by running direct bash commands from expert mode, however it cannot be exploited without access to expert mode that requires two authentications (user account and then expert mode).
  As users with access to expert mode are already privileged users, this should not be a concern for administrators.

  
  
  
• Which package should I install on my IPSO 6.2 MR3a machine?
  
  

  For disk based and flash based IPSO, you should simply upgrade to MR3a2 or MR4a2. These versions already include the fix.
  For disk based IPSO you could also contact Support to get a Hotfix.