Support Center > Alerts > SecureKnowledge Details
Check Point Response to CVE-2014-6271 and CVE-2014-7169 Bash Code Injection vulnerability
Symptoms
  • Symptoms are described here.

  • Install on: Security Gateway / VSX / ClusterXL / Security Management Server / Multi-Domain Management Server.

Solution

The solution described in this article is relevant to the following CVEs:

 

Table of Contents:

  1. Background
  2. IPS protection
  3. OS Level protection
  4. Hotfix packages
  5. Frequently Asked Questions

 

(I) Background

The US-CERT has issued Shellshock as a critical vulnerability affecting Linux/UNIX operating systems and Apple's MAC OS X. According to the US-CERT, if exploited, this vulnerability gives attackers the ability to remotely execute shell commands by attaching malicious code in environment variables used by the operating system.

For more information about the Shellshock exploit and how to protect against it, please go to:
http://www.checkpoint.com/blog/protecting-shellshock/


In order to protect your Security Gateway, follow the procedure described under "Hotfix packages" below. In addition, customers with enabled IPS blade should follow the procedure described in the "IPS protection" section below, for internal-server protection.

 

(II) IPS protection

Check Point released "GNU Bash Remote Code Execution" IPS protection that protects customer environments.
This protection enables organizations to add a layer of protection to their network while updating their systems with vendor-provided patches.

  1. CVEs

    The IPS protection covers the following CVEs:

    • CVE-2014-6271
    • CVE-2014-7169
    • CVE-2014-6277
    • CVE-2014-6278
    • CVE-2014-7187
    • CVE-2014-7186


  2. How can IPS best protect my environment?

    Step 1

    Enable the "GNU Bash Remote Code Execution" IPS protection in Prevent mode (right-click on this protection, click on 'Prevent on All Profiles', and install policy).

    Step 2

    Blocking one of the attack vectors requires additional functionality to be activated on the Security Gateway.

    • For versions R77.10 and R77.20

      Activate 'ws_non_http_ctx_enabled' context on the Security Gateway (see instructions below).

      1. To activate the 'ws_non_http_ctx_enabled' context on-the-fly:

        • To activate, run the following command in Expert mode:
          [Expert@HostName]# fw ctl set int ws_non_http_ctx_enabled 1
          Note: No need to install policy.

        • To disable, run the following command in Expert mode:
          [Expert@HostName]# fw ctl set int ws_non_http_ctx_enabled 0
          Note: No need to install policy.

        • To check the current status, run the following command in Expert mode:
          [Expert@HostName]# fw ctl get int ws_non_http_ctx_enabled


      2. To activate the 'ws_non_http_ctx_enabled' context permanently (to survive reboot):

        1. Create the file $FWDIR/boot/modules/fwkern.conf (if it does not already exist).
        2. Add the following line using Vi editor (spaces are not allowed):
          ws_non_http_ctx_enabled=1
        3. Reboot Security Gateway.

        To disable, delete the above line from the fwkern.conf file and reboot Security Gateway.


    • For versions R75.40VS, R76 and R77

      Upgrade to R77.10 or a higher version and follow the corresponding steps above.

    • For version R75.47

      See sk102833 for a hotfix that activates 'ws_non_http_ctx_enabled' on R75.47 Security Gateway.

    • For versions R75.40, R75.45, R75.46

      • Either upgrade to R75.47 once the Hotfix for R75.47 is released (see above).
      • Or upgrade to R77.10 or a higher version and follow the corresponding steps above.


    • For versions R70.X, R71.X, R75, R75.10, R75.20 and R75.30

      The attack vector is covered by the "Non Compliant HTTP" IPS protection, which is activated as part of the Recommended_Protection Profile.
      Please enable this IPS protection in Prevent mode (if it is not already enabled in your environment).

    • For other versions

      Please contact Check Point Support.

 

(III) OS Level protection

  1. HTTP

    Regardless of the current vulnerability and as a general best practice, Check Point recommends that customers only allow access to their system admin portals (Admin WebUI) via secure networks. In such scenarios, Check Point systems are not vulnerable to the announced exploit.

    Most Check Point portals are not vulnerable to the Shellshock exploit. Specifically the following are not vulnerable:

    • Mobile Access
    • Identity Awareness Portal
    • User Check
    • All Remote Access Portal for Mobile Access Blade
    • IPSec VPN
    • SNX
    • LOM Portal
  2. DHCP Client

    As a general best practice, Check Point recommends that customers who use their Security Gateway as a DHCP Client perform the following:

    1. Patch the organization DHCP server following the RedHat instructions.
    2. Limit the Security Gateway to accept DHCP packets only from trusted DHCP Servers.

 

(IV) Hotfix packages

This problem was fixed. The fix is included in:

Check Point recommends to always upgrade to the most recent version (upgrade Security Gateway / upgrade Cluster / upgrade VSX / upgrade Security Management Server / upgrade Multi-Domain Security Management Server).

A Hotfix package is currently available for R75, R75.10, R75.20, R75.30, R75.40, R75.40VS, R75.45, R75.46, R75.47, R76, R77, R77.10, and R77.20.

This Hotfix package is relevant to the main appliances lines: 2012 models, Smart-1, Threat Emulation, UTM-1, Power-1. For other appliances, see the relevant section below.

 

Click Here to Show All Instructions and links to Hotfixes

 

  • Hotfix package for R75.40, R75.40VS, R75.45, R75.46, R75.47, R76, R77, R77.10, R77.20 - Gaia OS using CPUSE (Check Point Update Service Engine)

    1. Connect to the Gaia Portal on your machine and navigate to 'Software Updates' pane.
    2. Select the Check_Point_Hotfix_VERSION_sk102673.tgz package and click 'Install' to install the hotfix.

    Notes:

    • For detailed installation instructions, refer to sk92449: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE".
    • Make sure to take a snapshot of your Check Point machine before installing this hotfix.
    • Hotfix has to be installed on all machines running Gaia OS.
    • In cluster environment, this procedure must be performed on all members of the cluster.
    • In Management HA environment, this procedure must be performed on both Management Servers.


  • Hotfix package for all versions - Gaia / SecurePlatform OS (manual installation in Command Line)

    1. Hotfix has to be installed on all machines running Gaia / SecurePlatform OS.
    2. Download the relevant hotfix package from the table below, transfer the hotfix package to the machine and unpack it:
      [Expert@HostName]# tar -zxvf Check_Point_Hotfix_VERSION_OS_sk102673.tgz
    3. Install the hotfix:
      [Expert@HostName]# ./SecurePlatform_HOTFIX_NAME
      Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
    4. Start Check Point services (reboot is not required):
      [Expert@HostName]# cpstart
      (In MDS environments: [Expert@HostName]# mdsstart)
    5. Log out from all shells.

    Notes:

    • Make sure to take a snapshot of your Check Point machine before installing this hotfix.
    • In cluster environment, this procedure must be performed on all members of the cluster.
    • In Management HA environment, this procedure must be performed on both Management Servers.

    In order to download these packages you will need to have a Software Subscription or Active Support plan.

     

    Platform R75.40 R75.40VS R75.45 R75.46 R75.47 R76 R77 R77.10 R77.20
    Gaia
    (TGZ)

    (TGZ)

    (TGZ)

    (TGZ)

    (TGZ)

    (TGZ)

    (TGZ)

    (TGZ)

    (TGZ)
    SecurePlatform   
    (TGZ)

    (TGZ)

    (TGZ)

    (TGZ)

    (TGZ)

    (TGZ)

    (TGZ)

    (TGZ)

    (TGZ)


    Platform R75 R75.10 R75.20 R75.30
    SecurePlatform   
    (TGZ)

    (TGZ)

    (TGZ)

    (TGZ)


    • On SecurePlatform OS for R65, R70.x, and R71.x versions:

      1. Download the RPM file "bash_R65_R70x_R71x_SPLAT.rpm" from here.

      2. To install the RPM run:
        [Expert@HostName]# rpm -Uhv bash_R65_R70x_R71x_SPLAT.rpm

      3. Log out from all shells.

      Note: This rpm package covers both Security Gateway and VSX installations.

    • On SecurePlatform OS for VSX R67.10 version:

      1. Download the RPM file "bash_R67_10_SPLAT.rpm" from here.

      2. To install the RPM run:
        [Expert@HostName]# rpm -Uhv bash_R67_10_SPLAT.rpm

      3. Log out from all shells.


  • Hotfix for IPSO 6.2

    Note: This fix is already integrated into IPSO 6.2 MR5 (Build GA100) image.

    • Instructions for Disk-based IPSO 6.2 systems:

      1. Download the TGZ package with improved Bash shell binary file and transfer it to IPSO OS: 

        IPSO 6.2 Link
        MR4/MR4a (TGZ)
        MR1/MR2/MR3 (TGZ)


      2. Connect to IPSO OS over SSH as 'admin', transfer the TGZ package to /var/emhome/admin/ directory and unpack it in that location:
        HostName[admin]# scp Check_Point_IPSO6.2_VERSION_bash.tgz  /var/emhome/admin
        HostName[admin]# tar -zxvf Check_Point_IPSO-6.2_VERSION_bash.tgz

      3. Mount the root file system as read/write:
        HostName[admin]# mount -uw /

      4. Backup the original Bash shell binary file:
        HostName[admin]# cp /bin/bash  /bin/bash_ORIGINAL

      5. Verify MD5 of the improved Bash shell binary file. If the MD5 is correct, copy the file to the destination directory:
        1. HostName[admin]# md5 /var/emhome/admin/Check_Point_IPSO6.2_VERSION_bash/bin/bash
          For IPSO MR4 - 7f14cbc1fa4a8fb35efcb7e0bc64cafd
          For IPSO MR1, MR2, MR3 - 209fa8e6ddd1600b25704f99ed3434fc
        2. HostName[admin]# mv /var/emhome/admin/Check_Point_IPSO6.2_VERSION_bash/bin/bash  /bin/bash


      6. Crucial step: Assign the required permissions and ownership:
        HostName[admin]# chmod 755 /bin/bash
        HostName[admin]# chown root:wheel /bin/bash

      7. Mount the root file system as read-only again:
        HostName[admin]# mount -ur /

      8. Log out from all shells.


    • Instructions for Flash Based (Diskless) IPSO 6.2 systems:

      Download the relevant IPSO image with improved Bash shell to your Windows computer. Unpack the ZIP file. Copy the IPSO image (ipso-6.2.tgz) to an FTP server or to the appliance to be upgraded.

      Important Note: sk102989 - Check Point response to the POODLE Bites vulnerability (CVE-2014-3566) offers new IPSO 6.2 images that resolve both issues - the "CVE-2014-3566 POODLE Bites vulnerability" and the "CVE-2014-6271 and CVE-2014-7169 Bash Code Injection vulnerability".

      IPSO 6.2 Link
      MR4a (ZIP)
      MR3a2 (ZIP)
      MR2a (ZIP)

      To install:

      1. Login as admin, and make sure that you are in /var/emhome/admin directory (run 'pwd' command).

      2. Run newimage -ik
        Note: If you add a new version of IPSO by using the newimage command and the "-k" (keep) option, your previous packages are active with the new IPSO version.

      3. Specify where the ipso-6.2.tgz image for IPSO 6.2 is located, selecting one of the following options:
        Install from FTP server with user and password (You will be prompted for FTP server location and credentials)
        or
        Install from local filesystem (You will be prompted for pathname to the packages, or enter "." for the current directory).

      4. Enter the name of the ipso-6.2.tgz package, and press 'Enter'.

      5. After the upgrade process completes, choose the image to run:
        Choose 'Newly Installed' image.

      6. Reboot the machine by typing reboot at the prompt.

      7. Verify the current image. Type uname -a. The output will contain the following strings:
        MR4a: 6.2-GAMR4A202
        MR3a2: 6.2-GAMR3A302
        MR2a: 6.2-GAMR2A01


    • Instructions for IPSO 4.2 systems:

      The IPSO 4.2 releases did not include the Bash shell, and therefore are not vulnerable.


  • Additional appliances (61000/41000 Security Systems, 600 / 1100 appliances, Security Gateway 80, Edge / Safe@Office devices, X-Series)

    • 61000 / 41000 Security Systems (Gaia OS)



    • 600 / 1100 / Security Gateway 80 appliances (Gaia Embedded OS)

      1. Download R75.20 HFA66.

        Note: For appliances running R75.20.50 firmware version and managed by Check Point Cloud service, download R75.20.51.

      2. Perform an upgrade using the Appliance's WebUI.

      Note:



    • Edge / Safe@Office devices

      These devices are not vulnerable according to the known use cases.

    • X-Series Appliances (Blue Coat)

      A fix for R77.20, R77.10, R77, R76, R75.40VS is available for X-series appliances.
      Note: This fix is suitable for VSX R67 and VSX R68 as well. However, Check Point recommends upgrading to the latest supported version.

      VSX Mode

      1. Download the RPM file:

        APM CPM
        R75.40VS, R76, R77 R70-R77
      2. Install the RPM file:

        • CPM

          1. Follow the instructions in Updating Bash on the X-Series Platform document to upgrade the CPM package.


        • APM (VAP groups update)

          1. Transfer the RPM file to CPM - into the /tftpboot/<vap_group_name>_common/tmp directory.
          2. For each VAP in a VAP group:
            1. Connect to the VAP using the 'rsh' command.
            2. Install the RPM:
              # rpm -Fvh /<vap_group_name>_common/tmp/bash-3.1-16.1.738000005cp.i386.rpm
            3. Verify that the RPM was installed:
              # rpm -qa | grep bash
              The output should be "bash-3.1-16.1.738000005cp"
          3. Log out from all shells.

       

      Non-VSX Mode

      1. Download the RPM file:

        APM and CPM
        R70 - R77


      2. Follow the instructions in Updating Bash on the X-Series Platform document (under "Updating Bash RPMs on X-Series CPMs and VAP Groups" section).

      For more information about BlueCoat X-Series Appliances, refer to Blue Coat Security Advisory SA82.

 

(V) Frequently Asked Questions

Click Here to Show All Questions

Applies To:
  • Shellshock
  • 01481407 , 01481434 , 01481517 , 01481532 , 01481883 , 01482035 , 01482037 , 01482039 , 01482706 , 01482875 , 01487357 , 01487360 , 01487362 , 01488248 , 01488269 , 01488527 , 01488535 , 01488536 , 01488537 , 01489282 , 01493830 , 01493842 , 01493846
  • 01481626 , 01482038 , 01482040
  • 01487398 , 01481479 , 01487407 , 01489771 , 01490431 , 01490679 , 01490784 , 01492556 , 01492838 , 01492916 , 01493002 , 01493056 , 01493059 , 01495122 , 01496617

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment