A POODLE attack may work against TLS connections allowing a network attacker to extract the plain text of targeted parts of a TLS connection, usually cookie data.
The following Check Point products are vulnerable to TLS 1.x Padding:
HTTPS Inspection – when HTTPS Inspection is enabled, POODLE attack may work against a TLS connection between the client machine (the browser) and the gateway.
Multi Portal (software blades portals) - Multi Portal is used to run different portals on TCP port 443.
Software blades that can be configured with such portal are: Mobile Access Blade, VPN (Remote Access), Identity Awareness, DLP or when UserCheck is configured to use port 443. Gaia Portal and SecurePlatform WebUI will use Multi Portal if configured on TCP port 443 and one or more of these software blades are enabled. When Multi Portal is used, POODLE attack may work against a TLS connection between the client machine (the browser) and the gateway.
The following products are under investigation for this vulnerability:
LOM Card WebUI
X-Series Appliances (Bluecoat)
Other Check Point products are not vulnerable to TLS 1.x Padding, explicitly these products that run portals are not vulnerable:
Gaia Portal when configured on TCP port other than 443
SecurePlatform WebUI when configured on TCP port other than 443
A Hotfix to address this vulnerability was released for R77.20, R77.10, R77, R76 and R75.47.
Customers who installed Jumbo Hotfix Accumulator for R77.20 / R77.10 / R77 / R76 / R75.47 should follow the relevant jumbo SecureKnowledge solution. An update to jumbo hotfix accumulator that includes the TLS hotfix is planned to be released soon.
A Hotfix to address this vulnerability was released for 600 / 1100 / Security Gateway 80 running R75.20 version. See below recommendations for 600 / 1100 / Security Gateway 80 appliances running R75.20.X (Gaia Embedded OS).
Once the Hotfix is installed, the Inbound HTTPS Inspection will protect internal Web servers from this POODLE attack against a TLS connection between the client machine (the browser) located at the Internet and the gateway.
IPS Protections
Once the HTTPS Inspection Hotfix is installed, the inbound HTTPS Inspection will protect the internal Web servers from TLS 1.X padding vulnerability. For now, no IPS protection is expected for this vulnerability.
Connect to the Gaia Portal on your Security Gateway and navigate to the 'Upgrades (CPUSE)' pane / to the 'Software Updates' pane - click on 'Status and Actions'.
Select the hotfix package - <VERSION> Hotfix for sk103683 (Check Point response to TLS 1.x padding vulnerability - and click on 'Install Update' button on the toolbar.
Transfer the hotfix package to the Security Gateway (into some directory) and unpack it: [Expert@HostName]# tar -zxvf Check_Point_Hotfix_<VERSION>_<OS>_sk103683.tgz
Install the hotfix:
On Gaia, SecurePlatform, Linux OS: [Expert@HostName]# ./UnixInstallScript
On IPSO OS: [Expert@HostName]# ./fw1_wrapper_HOTFIX_FOXX_HF_HA47_068_<build-number>
Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
Note: Do not install this firmware on appliances running R75.20.51 firmware version and managed by Check Point Cloud service. Contact Check Point Support in order to get this fix over R75.20.51 firmware.
Perform an upgrade using the Appliance's WebUI.
To uninstall the improved firmware: Go to 'Device' tab - go to 'System' section - click on 'System Operations' - click on the 'Revert to Previous image' button.
