Support Center > Search Results > SecureKnowledge Details
Check Point Response to Logjam Vulnerability CVE-2015-4000
Solution

A new vulnerability called Logjam vulnerability (CVE-2015-4000) has been revealed by researchers, which has similarities to the FREAK attack vulnerability (CVE-2015-0204) disclosed a few months ago, whereby a man-in-the-middle attack can be implemented to weaken the encryption between client and server.

Like FREAK attack, the Logjam vulnerability takes advantage of legacy encryption standards imposed in the 90's by the U.S. government and tricks servers into using weaker 512-bit keys which can be decrypted

Check Point products are not vulnerable to the Logjam Vulnerability with the following exceptions:

  • Mobile Access Blade - when using the Mobile Access Portal to access a 3rd party application server (usually, internal server), and if the 3rd party server is vulnerable to Logjam attack, then the connection may be susceptible to it.

    This problem was fixed. The fix is included in:



    Check Point recommends to always upgrade to the most recent version

    For other supported versions, Check Point Support can supply a Hotfix.

    A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
    For faster resolution and verification, please collect CPinfo files from the Security Management Server and Mobile Access Gateways involved in the case.

    Notes:

    1. Connections between the Mobile Access Gateway and the application server will usually be within the corporate LAN, which makes these connections less likely to be exposed to this vulnerability.
    2. The vulnerability still requires the attacker to be a Man-In-The-Middle (MITM).


  • IPSO Voyager with SSL - by default IPSO does not configure HTTPS access to Voyager and is not vulnerable. However, if this access is manually configured, IPSO would accept connections with export grade cipher suites.
    If the FREAK attack workaround was implemented, there is no need to perform the suggested workaround below.

 

IPS Protection

Check Point released OpenSSL TLS Export Cipher Suite Downgrade (CVE-2015-0204) IPS protection that protects customer environments. This protection is part of the Recommended profile. It enables organizations to add a layer of protection to their network while updating their systems with vendor-provided patches.

CVEs

The IPS protection covers the following CVEs:

  • CVE-2015-0204
  • CVE-2015-1637
  • CVE-2015-4000

How can IPS best protect my environment?

Verify that the protection is set to "Prevent" mode in all IPS profiles.

To enable the OpenSSL TLS Export Cipher Suite Downgrade (CVE-2015-0204) IPS protection in Prevent mode: right-click on this protection, click on 'Prevent on All Profiles', and install policy on all Security Gateways

Check Point also released the "SSL Export Cipher Suite" IPS protection that protects customer environments. This protection is not part of the Recommended profile. It will detect and block the usage of weak Export cipher suites.

 

IPSO workaround

For IPSO Voyager manually configured to work with SSL the following workaround is available:

Show / Hide the workaround
  1. Connect to command line.

  2. Open Clish:

    [root@HostName ~]# clish
  3. Check the current SSL setting:

    IPSO:N> show voyager ssl-level

    • If this command returns "VoyagerSSLLevel 0", then SSL is not used and IPSO Voyager is not vulnerable.

    • If this command returns any value other than "0" (zero), then proceed to the next step.

  4. Disable the weak "export" ciphers:

    IPSO:N> set voyager ssl-level 168
    IPSO:N> save config
  5. Verify your configuration:

    IPSO:N> show voyager ssl-level

    The output should show "VoyagerSSLLevel 168"

 

Related solutions:

Applies To:
  • 01992034 , 02007961 , 02018541 , 02016250 , 02010216 , 02007928 , 02103280

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment