Support Center > Search Results > SecureKnowledge Details
Check Point response to TLS FREAK Attack (CVE-2015-0204)
Symptoms
  • On Tuesday, March 3, 2015, researchers disclosed a new SSL/TLS vulnerability - the FREAK attack. The vulnerability allows attackers to intercept HTTPS connections between vulnerable clients and vulnerable servers and force them to use the ‘export-grade’ cryptography, which can then be decrypted or altered.
    There are several posts that discuss the attack in detail: Matt Green, The Washington Post and Ed Felten.

    A connection is vulnerable if both a vulnerable server accepts RSA_EXPORT cipher suites and a vulnerable client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204.
Solution

Table of Contents:

  1. Background
  2. IPS Protection
  3. Solution
  4. Hotfix Packages
  5. Revision History

 

(I) Background

Check Point products are not vulnerable to the "FREAK" vulnerability (CVE-2015-0204) with the following exceptions:

  • Mobile Access Blade - When using the Mobile Access Portal to access a 3rd party application server (usually, internal server), and if the 3rd party server is vulnerable to FREAK attack, then the connection may be susceptible to it.

    Notes:

    1. Connections between the Mobile Access Gateway and the application server will usually be within the corporate LAN, which makes these connections less likely to be exposed to this vulnerability.

    2. The vulnerability still requires the attacker to be a Man-In-The-Middle (MITM).


  • IPSO Voyager with SSL - By default IPSO does not configure HTTPS access to Voyager, so it is not vulnerable; but if this access is manualy configured, IPSO would accept connections with export grade cipher suites.
    Follow the below procedure to workaround this issue.


  • Other Check Point products

    Feature / Appliance Status
    Gaia Portal / SecurePlatform WebUI Not Vulnerable
    600 / 1100 / Security Gateway 80 appliances Not Vulnerable
    X-Series Appliances (Blue Coat) Not Vulnerable
    Edge / Safe@Office devices Not Vulnerable
    61000 / 41000 Security Systems

    Vulnerable when Mobile Access Blade is enabled and Mobile Access Portal is used.

    Fix was integrated into Take_62 of Jumbo Hotfix Accumulator for R76SP.10.
    LOM card WebUI Fixed in LOM firmware v2.2 (refer to sk101241)

 

(II) IPS Protection

Check Point released "OpenSSL TLS Export Cipher Suite Downgrade (CVE-2015-0204)" IPS protection that protects customer environments.
This protection is part of the Recommended profile. It enables organizations to add a layer of protection to their network while updating their systems with vendor-provided patches.

  1. CVEs

    The IPS protection covers the following CVEs:

    • CVE-2015-0204

    • CVE-2015-1637

  2. How can IPS best protect my environment?

    Verify that the protection is set to "Prevent" mode in all IPS profiles.

    To enable the "OpenSSL TLS Export Cipher Suite Downgrade (CVE-2015-0204)" IPS protection in Prevent mode: right-click on this protection, click on 'Prevent on All Profiles', and install policy on all Security Gateways.

Check Point also released the "SSL Export Cipher Suite" IPS protection that protects customer environments. This protection is not part of the Recommended profile. It will detect and block the usage of weak Export cipher suites

 

(III) Solution

It is highly recommended that the 3rd party Application Servers that are accessed through Mobile Access Blade will be configured to be not vulnerable to the FREAK attack.

In case Mobile Access Blade is configured to connect to a 3rd party Application Server that is vulnerable to FREAK attack, it is recommended to install the Hotfix below on the Security Gateway with enabled Mobile Access Blade. Refer to the "Hotfix Packages" section.

Check Point released a Hotfix for R77.20 and R77.10 (this hotfix is already integrated into R80.10 and R77.30). For other versions, contact Check Point Support (please collect CPinfo files from the Security Management Server and Security Gateways involved in the case).

Check Point continues the investigation and will update this SK article accordingly.

 

For IPSO Voyager manually configured to work with SSL the following workaround is available:

  1. Connect to command line.

  2. Open Clish:

    [root@HostName ~]# clish

  3. Check the current SSL setting:

    IPSO:N> show voyager ssl-level

    • If this command returns "VoyagerSSLLevel 0", then SSL is not used and IPSO Voyager is not vulnerable.

    • If this command returns any value other than "0" (zero), then proceed to the next step.


  4. Disable the weak "export" ciphers:

    IPSO:N> set voyager ssl-level 168
    IPSO:N> save config

  5. Verify your configuration:

    IPSO:N> show voyager ssl-level

    The output should show "VoyagerSSLLevel 168"

 

(IV) Hotfix Packages

Hotfix packages are available for R77.20 and R77.10 (this hotfix is already integrated into R77.30).

Notes:

Instructions:

 

These hotfix packages also include the following fixes:

 

(V) Revision History

 

Show / Hide the revision history

Date Description
16 Nov 2017 Added fix for LOM card 
01 July 2015 Updated instructions for IPSO Voyager
30 May 2015 Added a note that the offered hotfix is already integrated into R77.30
25 May 2015 Updated status of fix availability for 61000 / 41000 Security Systems
30 Mar 2015 Additional fixes were indicated 
22 Mar 2015 Updated status of 61000 / 41000 Security Systems
11 Mar 2015 Updated status of X-Series Appliances / Edge / Safe@Office devices as Not Vulnerable
08 Mar 2015 Added HotFix for R77.10
08 Mar 2015 Added workaround for IPSO Voyager with SSL
06 Mar 2015 First release of this article
Applies To:
  • 01602689, 01602914, 01602918, 01602960, 01602973, 01604051, 01604089, 01604137, 01604166, 01604930, 01604933, 01606208, 01606882, 01610080, 01611943, 01629300

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment