Check Point Response to Logjam Vulnerability CVE-2015-4000
A new vulnerability called Logjam vulnerability (CVE-2015-4000) has been revealed by researchers, which has similarities to the FREAK attack vulnerability (CVE-2015-0204) disclosed a few months ago, whereby a man-in-the-middle attack can be implemented to weaken the encryption between client and server.
Like FREAK attack, the Logjam vulnerability takes advantage of legacy encryption standards imposed in the 90's by the U.S. government and tricks servers into using weaker 512-bit keys which can be decrypted
Check Point products are not vulnerable to the Logjam Vulnerability with the following exceptions:
Mobile Access Blade - when using the Mobile Access Portal to access a 3rd party application server (usually, internal server), and if the 3rd party server is vulnerable to Logjam attack, then the connection may be susceptible to it.
This problem was fixed. The fix is included in:
Check Point recommends to always upgrade to the most recent version
For other supported versions, Check Point Support can supply a Hotfix.
A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
For faster resolution and verification, please collect CPinfo files from the Security Management Server and Mobile Access Gateways involved in the case.
- Connections between the Mobile Access Gateway and the application server will usually be within the corporate LAN, which makes these connections less likely to be exposed to this vulnerability.
- The vulnerability still requires the attacker to be a Man-In-The-Middle (MITM).
IPSO Voyager with SSL - by default IPSO does not configure HTTPS access to Voyager and is not vulnerable. However, if this access is manually configured, IPSO would accept connections with export grade cipher suites.
If the FREAK attack workaround was implemented, there is no need to perform the suggested workaround below.
Check Point released OpenSSL TLS Export Cipher Suite Downgrade (CVE-2015-0204) IPS protection that protects customer environments. This protection is part of the Recommended profile. It enables organizations to add a layer of protection to their network while updating their systems with vendor-provided patches.
The IPS protection covers the following CVEs:
How can IPS best protect my environment?
Verify that the protection is set to "Prevent" mode in all IPS profiles.
To enable the OpenSSL TLS Export Cipher Suite Downgrade (CVE-2015-0204) IPS protection in Prevent mode: right-click on this protection, click on 'Prevent on All Profiles', and install policy on all Security Gateways
Check Point also released the "SSL Export Cipher Suite" IPS protection that protects customer environments. This protection is not part of the Recommended profile. It will detect and block the usage of weak Export cipher suites.
For IPSO Voyager manually configured to work with SSL the following workaround is available:
Show / Hide the workaround
Connect to command line.
[root@HostName ~]# clish
Check the current SSL setting:
IPSO:N> show voyager ssl-level
If this command returns "VoyagerSSLLevel 0", then SSL is not used and IPSO Voyager is not vulnerable.
If this command returns any value other than "0" (zero), then proceed to the next step.
Disable the weak "export" ciphers:
IPSO:N> set voyager ssl-level 168
IPSO:N> save config
Verify your configuration:
IPSO:N> show voyager ssl-level
The output should show "VoyagerSSLLevel 168"
- 01992034 , 02007961 , 02018541 , 02016250 , 02010216 , 02007928 , 02103280