Table of Contents:
-
Background
-
IPS Protection
-
Solution
-
Hotfix Packages
-
Revision History
(I) Background
Check Point products are not vulnerable to the "FREAK" vulnerability (CVE-2015-0204) with the following exceptions:
-
Mobile Access Blade - When using the Mobile Access Portal to access a 3rd party application server (usually, internal server), and if the 3rd party server is vulnerable to FREAK attack, then the connection may be susceptible to it.
Notes:
- Connections between the Mobile Access Gateway and the application server will usually be within the corporate LAN, which makes these connections less likely to be exposed to this vulnerability.
- The vulnerability still requires the attacker to be a Man-In-The-Middle (MITM).
- IPSO Voyager with SSL - By default IPSO does not configure HTTPS access to Voyager, so it is not vulnerable; but if this access is manualy configured, IPSO would accept connections with export grade cipher suites.
Follow the below procedure to workaround this issue.
- Other Check Point products
Feature / Appliance |
Status |
Gaia Portal / SecurePlatform WebUI |
Not Vulnerable |
600 / 1100 / Security Gateway 80 appliances |
Not Vulnerable |
X-Series Appliances (Blue Coat) |
Not Vulnerable |
Edge / Safe@Office devices |
Not Vulnerable |
61000 / 41000 Security Systems |
Vulnerable when Mobile Access Blade is enabled and Mobile Access Portal is used.
Fix was integrated into Take_62 of Jumbo Hotfix Accumulator for R76SP.10. |
LOM card WebUI |
Fixed in LOM firmware v2.2 (refer to sk101241) |
(II) IPS Protection
Check Point released "OpenSSL TLS Export Cipher Suite Downgrade (CVE-2015-0204)" IPS protection that protects customer environments.
This protection is part of the Recommended profile. It enables organizations to add a layer of protection to their network while updating their systems with vendor-provided patches.
-
CVEs
The IPS protection covers the following CVEs:
- CVE-2015-0204
- CVE-2015-1637
-
How can IPS best protect my environment?
Verify that the protection is set to "Prevent
" mode in all IPS profiles.
To enable the "OpenSSL TLS Export Cipher Suite Downgrade (CVE-2015-0204)" IPS protection in Prevent
mode: right-click on this protection, click on 'Prevent on All Profiles
', and install policy on all Security Gateways.
Check Point also released the "SSL Export Cipher Suite" IPS protection that protects customer environments. This protection is not part of the Recommended profile. It will detect and block the usage of weak Export cipher suites
(III) Solution
It is highly recommended that the 3rd party Application Servers that are accessed through Mobile Access Blade will be configured to be not vulnerable to the FREAK attack.
In case Mobile Access Blade is configured to connect to a 3rd party Application Server that is vulnerable to FREAK attack, it is recommended to install the Hotfix below on the Security Gateway with enabled Mobile Access Blade. Refer to the "Hotfix Packages" section.
Check Point released a Hotfix for R77.20 and R77.10 (this hotfix is already integrated into R80.10 and R77.30). For other versions, contact Check Point Support (please collect CPinfo files from the Security Management Server and Security Gateways involved in the case).
Check Point continues the investigation and will update this SK article accordingly.
For IPSO Voyager manually configured to work with SSL the following workaround is available:
- Connect to command line.
-
Open Clish:
[root@HostName ~]# clish
-
Check the current SSL setting:
IPSO:N> show voyager ssl-level
- If this command returns "VoyagerSSLLevel 0", then SSL is not used and IPSO Voyager is not vulnerable.
- If this command returns any value other than "0" (zero), then proceed to the next step.
-
Disable the weak "export" ciphers:
IPSO:N> set voyager ssl-level 168
IPSO:N> save config
-
Verify your configuration:
IPSO:N> show voyager ssl-level
The output should show "VoyagerSSLLevel 168"
(IV) Hotfix Packages
Hotfix packages are available for R77.20 and R77.10 (this hotfix is already integrated into R77.30).
Notes:
Instructions:
These hotfix packages also include the following fixes:
(V) Revision History
Applies To:
- 01602689, 01602914, 01602918, 01602960, 01602973, 01604051, 01604089, 01604137, 01604166, 01604930, 01604933, 01606208, 01606882, 01610080, 01611943, 01629300