The US-CERT has issued Shellshock as a critical vulnerability affecting Linux/UNIX operating systems and Apple's MAC OS X. According to the US-CERT, if exploited, this vulnerability gives attackers the ability to remotely execute shell commands by attaching malicious code in environment variables used by the operating system.
In order to protect your Security Gateway, follow the procedure described under "Hotfix packages" below. In addition, customers with enabled IPS blade should follow the procedure described in the "IPS protection" section below, for internal-server protection.
(II) IPS protection
Check Point released "GNU Bash Remote Code Execution" IPS protection that protects customer environments. This protection enables organizations to add a layer of protection to their network while updating their systems with vendor-provided patches.
The IPS protection covers the following CVEs:
How can IPS best protect my environment?
Enable the "GNU Bash Remote Code Execution" IPS protection in Prevent mode (right-click on this protection, click on 'Prevent on All Profiles', and install policy).
Blocking one of the attack vectors requires additional functionality to be activated on the Security Gateway.
For versions R77.10 and R77.20
Activate 'ws_non_http_ctx_enabled' context on the Security Gateway (see instructions below).
To activate the 'ws_non_http_ctx_enabled' context on-the-fly:
To activate, run the following command in Expert mode: [Expert@HostName]# fw ctl set int ws_non_http_ctx_enabled 1 Note: No need to install policy.
To disable, run the following command in Expert mode: [Expert@HostName]# fw ctl set int ws_non_http_ctx_enabled 0 Note: No need to install policy.
To check the current status, run the following command in Expert mode: [Expert@HostName]# fw ctl get int ws_non_http_ctx_enabled
To activate the 'ws_non_http_ctx_enabled' context permanently (to survive reboot):
Create the file $FWDIR/boot/modules/fwkern.conf (if it does not already exist).
Add the following line using Vi editor (spaces are not allowed): ws_non_http_ctx_enabled=1
Reboot Security Gateway.
To disable, delete the above line from the fwkern.conf file and reboot Security Gateway.
For versions R75.40VS, R76 and R77
Upgrade to R77.10 or a higher version and follow the corresponding steps above.
For version R75.47
See sk102833 for a hotfix that activates 'ws_non_http_ctx_enabled' on R75.47 Security Gateway.
For versions R75.40, R75.45, R75.46
Either upgrade to R75.47 once the Hotfix for R75.47 is released (see above).
Or upgrade to R77.10 or a higher version and follow the corresponding steps above.
For versions R70.X, R71.X, R75, R75.10, R75.20 and R75.30
The attack vector is covered by the "Non Compliant HTTP" IPS protection, which is activated as part of the Recommended_Protection Profile. Please enable this IPS protection in Prevent mode (if it is not already enabled in your environment).
Regardless of the current vulnerability and as a general best practice, Check Point recommends that customers only allow access to their system admin portals (Admin WebUI) via secure networks. In such scenarios, Check Point systems are not vulnerable to the announced exploit.
Most Check Point portals are not vulnerable to the Shellshock exploit. Specifically the following are not vulnerable:
Identity Awareness Portal
All Remote Access Portal for Mobile Access Blade
As a general best practice, Check Point recommends that customers who use their Security Gateway as a DHCP Client perform the following:
Download the TGZ package with improved Bash shell binary file and transfer it to IPSO OS:
Connect to IPSO OS over SSH as 'admin', transfer the TGZ package to /var/emhome/admin/ directory and unpack it in that location: HostName[admin]# scp Check_Point_IPSO6.2_VERSION_bash.tgz /var/emhome/admin HostName[admin]# tar -zxvf Check_Point_IPSO-6.2_VERSION_bash.tgz
Mount the root file system as read/write: HostName[admin]# mount -uw /
Backup the original Bash shell binary file: HostName[admin]# cp /bin/bash /bin/bash_ORIGINAL
Verify MD5 of the improved Bash shell binary file. If the MD5 is correct, copy the file to the destination directory:
HostName[admin]# md5 /var/emhome/admin/Check_Point_IPSO6.2_VERSION_bash/bin/bash For IPSO MR4 - 7f14cbc1fa4a8fb35efcb7e0bc64cafd For IPSO MR1, MR2, MR3 - 209fa8e6ddd1600b25704f99ed3434fc
Login as admin, and make sure that you are in /var/emhome/admin directory (run 'pwd' command).
Run newimage -ik Note: If you add a new version of IPSO by using the newimage command and the "-k" (keep) option, your previous packages are active with the new IPSO version.
Specify where the ipso-6.2.tgz image for IPSO 6.2 is located, selecting one of the following options: Install from FTP server with user and password (You will be prompted for FTP server location and credentials) or Install from local filesystem (You will be prompted for pathname to the packages, or enter "." for the current directory).
Enter the name of the ipso-6.2.tgz package, and press 'Enter'.
After the upgrade process completes, choose the image to run: Choose 'Newly Installed' image.
Reboot the machine by typing reboot at the prompt.
Verify the current image. Type uname -a. The output will contain the following strings: MR4a: 6.2-GAMR4A202 MR3a2: 6.2-GAMR3A302 MR2a: 6.2-GAMR2A01
Instructions for IPSO 4.2 systems:
The IPSO 4.2 releases did not include the Bash shell, and therefore are not vulnerable.
These devices are not vulnerable according to the known use cases.
X-Series Appliances (Blue Coat)
A fix for R77.20, R77.10, R77, R76, R75.40VS is available for X-series appliances. Note: This fix is suitable for VSX R67 and VSX R68 as well. However, Check Point recommends upgrading to the latest supported version.
Although "don't forget to reboot" message may appear at the end of the hotfix installation, reboot is not required for this hotfix. Running cpstart command (or mdsstart command on Multi-Domain Security Management Server) as described in the installation instructions is sufficient.
Check Point recommends to install this fix in order to protect against the vulnerabilities described. Check Point is also monitoring the patches released by RedHat and will align with the formal RedHat patch once it is fully released and verified.
As currently new CVEs for the bash parser behavior are discovered on a daily basis Check Point decided to block this vulnerability by not allowing calling functions from environment variables at all as this functionality is not required on Check Point systems.
Since we chose this approach, the vulnerability seems to be still valid when testing it by running direct bash commands from expert mode, however, it cannot be exploited without access to expert mode that requires two authentications (user account and then expert mode).
As users with access to expert mode are already privileged users, this should not be a concern for administrators.
As currently new CVEs for the bash behavior are discovered frequently, Check Point decided to block this vulnerability by not allowing calling functions from environment variables at all as this functionality is not required on Check Point systems. Since Check Point chose this approach, the vulnerability seems to be still valid when testing it by running direct bash commands from expert mode, however it cannot be exploited without access to expert mode that requires two authentications (user account and then expert mode). As users with access to expert mode are already privileged users, this should not be a concern for administrators.