Support Center > Search Results > SecureKnowledge Details
Check Point response to TLS 1.x padding vulnerability
Symptoms
  • A POODLE attack may work against TLS connections allowing a network attacker to extract the plain text of targeted parts of a TLS connection, usually cookie data.

    Full Report published by ImperialViolet. See https://www.imperialviolet.org/2014/12/08/poodleagain.html

  • The following Check Point products are vulnerable to TLS 1.x Padding:

    1. HTTPS Inspection – when HTTPS Inspection is enabled, POODLE attack may work against a TLS connection between the client machine (the browser) and the gateway.

    2. Multi Portal (software blades portals) - Multi Portal is used to run different portals on TCP port 443.
      Software blades that can be configured with such portal are: Mobile Access Blade, VPN (Remote Access), Identity Awareness, DLP or when UserCheck is configured to use port 443. Gaia Portal and SecurePlatform WebUI will use Multi Portal if configured on TCP port 443 and one or more of these software blades are enabled.
      When Multi Portal is used, POODLE attack may work against a TLS connection between the client machine (the browser) and the gateway.


  • The following products are under investigation for this vulnerability:
    1. LOM Card WebUI
    2. X-Series Appliances (Bluecoat)


  • Other Check Point products are not vulnerable to TLS 1.x Padding, explicitly these products that run portals are not vulnerable:

    • Gaia Portal when configured on TCP port other than 443
    • SecurePlatform WebUI when configured on TCP port other than 443
    • Client Authentication Portal
    • Management Portal (SmartPortal)
    • Edge / Safe@Office devices
    • Endpoint Security Management Server
    • IPSO Network Voyager
Solution

This problem was fixed. The fix is included in:

Check Point recommends to always upgrade to the most recent version (upgrade Security Gateway / upgrade Cluster / upgrade Security Management Server / upgrade Multi-Domain Security Management Server / upgrade 600 appliance, upgrade 1100 appliance).

 

For lower supported versions:

  • A Hotfix to address this vulnerability was released for R77.20, R77.10, R77, R76 and R75.47.

  • Customers who installed Jumbo Hotfix Accumulator for R77.20 / R77.10 / R77 / R76 / R75.47 should follow the relevant jumbo SecureKnowledge solution. An update to jumbo hotfix accumulator that includes the TLS hotfix is planned to be released soon.

  • A Hotfix to address this vulnerability was released for 600 / 1100 / Security Gateway 80 running R75.20 version. See below recommendations for 600 / 1100 / Security Gateway 80 appliances running R75.20.X (Gaia Embedded OS).

  • For other versions, contact Check Point Support to get a Hotfix for this issue.


Once the Hotfix is installed, the Inbound HTTPS Inspection will protect internal Web servers from this POODLE attack against a TLS connection between the client machine (the browser) located at the Internet and the gateway.

IPS Protections

Once the HTTPS Inspection Hotfix is installed, the inbound HTTPS Inspection will protect the internal Web servers from TLS 1.X padding vulnerability. For now, no IPS protection is expected for this vulnerability.

 

Summary table with recommended hotfixes:

In order to download these hotfix packages you will need to have a Software Subscription or Active Support plan.

Version Platform Link Installation
Instructions
R77.20 Gaia CPUSE
Gaia,
SecurePlatform,
Linux,
XOS
Manual
IPSO Manual
R77.10 Gaia CPUSE
Gaia,
SecurePlatform,
Linux,
XOS
Manual
IPSO Manual
R77 Gaia CPUSE
Gaia,
SecurePlatform,
Linux,
XOS
Manual
IPSO Manual
R76 Gaia CPUSE
Gaia,
SecurePlatform,
Linux,
XOS
Manual
IPSO Manual
R75.47 Gaia CPUSE
Gaia,
SecurePlatform,
Linux,
XOS
Manual
IPSO Manual

Note: These hotfix packages also include the following fixes:

Contact Check Point Support to get a Hotfix for older versions that are not referenced on this table.

Installation Instructions:

  • Hotfix installation instructions for Gaia OS using CPUSE (Check Point Update Service Engine)

    1. Connect to the Gaia Portal on your Security Gateway and navigate to the 'Upgrades (CPUSE)' pane / to the 'Software Updates' pane - click on 'Status and Actions'.
    2. Select the hotfix package - <VERSION> Hotfix for sk103683 (Check Point response to TLS 1.x padding vulnerability - and click on 'Install Update' button on the toolbar.

    Notes:

    • For detailed installation instructions, refer to sk92449: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE".
    • Make sure to take a snapshot of your Check Point machine before installing this hotfix.
    • Hotfix has to be installed on all Security Gateways running on Gaia OS.
    • In cluster environment, this procedure must be performed on all members of the cluster.


  • Hotfix installation instructions for Gaia / SecurePlatform / X-Series XOS / IPSO OS (manual installation in Command Line)

    1. Hotfix has to be installed on all Security Gateways running on Gaia / SecurePlatform / X-Series XOS / IPSO OS.

      Notes:

      • Make sure to take a snapshot of your Check Point machine before installing this hotfix.
      • In cluster environment, this procedure must be performed on all members of the cluster.


    2. Download the relevant hotfix package from the summary table above.

      In order to download these hotfix packages you will need to have a Software Subscription or Active Support plan.

    3. Transfer the hotfix package to the Security Gateway (into some directory) and unpack it:
      [Expert@HostName]# tar -zxvf Check_Point_Hotfix_<VERSION>_<OS>_sk103683.tgz

    4. Install the hotfix:

      • On Gaia, SecurePlatform, Linux OS:
        [Expert@HostName]# ./UnixInstallScript

      • On IPSO OS:
        [Expert@HostName]# ./fw1_wrapper_HOTFIX_FOXX_HF_HA47_068_<build-number>


      Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.

    5. Reboot the Security Gateway.

  1. Download R75.20 HFA69.

    Note: Do not install this firmware on appliances running R75.20.51 firmware version and managed by Check Point Cloud service. Contact Check Point Support in order to get this fix over R75.20.51 firmware.

  2. Perform an upgrade using the Appliance's WebUI.

To uninstall the improved firmware:
Go to 'Device' tab - go to 'System' section - click on 'System Operations' - click on the 'Revert to Previous image' button.

For detailed instructions, refer to Check Point 600 Appliance Admin Guide (page 43), and to Check Point 1100 Appliance Admin Guide (page 69).

 

Revision History

Date Description
16 Mar 2016
  • Added versions that already contains the fix
  • Clarified that vulnerable firmware on 600 / 1100 / Security Gateway 80 appliances is R75.20.X
28 Dec 2014 Added hotfixes for R75.47 version.
22 Dec 2014 Added hotfixes for R76 version.
18 Dec 2014 Added hotfixes for R77 version.
17 Dec 2014 Added R75.20.69, the hotfix for 600 / 1100 / Security Gateway 80 appliances.
14 Dec 2014 Added hotfixes for R77.10 version.
09 Dec 2014 First release of this document.

 

Related solutions:

Applies To:
  • 01528449, 01555275, 01575357, 01580673, 01657168, 01847018, 01550347, 01541329, 01532217, 01530191, 01562601, 01573576, 01785171, 01801469, 01531100, 01550910, 01539660, 01534077, 01531910, 01575371, 01830198, 01645036, 01529798, 01544095, 01542331, 01534285, 01719584, 01558086, 01531579, 01531583, 01532614, 01532514, 01531876, 01599975, 01529504, 01529783, 01531415, 01575737, 01536942, 01535614, 01534507, 01532802, 01531982, 01530192, 01531098, 01532513, 01539657, 01536923, 01532210, 01530687, 01530190, 01575648, 01642760, 01688586

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment