The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, a.k.a. the "Bar Mitzvah" issue.

Background

• This attack (CVE-2015-2808), called "Bar Mitzvah", allows an attacker to extract the plaintext of the initial bytes of an RC4 encryption stream.

• As RC4 does not properly combine state data with key data during its initialization phase, it makes it easier conduct plaintext-recovery attacks against the initial bytes of a stream by:
  
  1. Sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness.
  2. Using a brute-force approach involving LSB values, a.k.a. the "Bar Mitzvah" attack.
• Full report: https://www.blackhat.com/docs/asia-15/materials/asia-15-Mantin-Bar-Mitzvah-Attack-Breaking-SSL-With-13-Year-Old-RC4-Weakness-wp.pdf

 

Statement

1. Check Point products are not vulnerable to the "Bar Mitzvah" attack, with the following exceptions:
   
   • Products which use TLS that supports cipher suite with RC4.
2. Disabling support for cipher suites that include RC4 usage in TLS mitigates this attack.

 

How to disable support for cipher suites that include RC4

 

• Disabling RC4-including cipher suites for SSL Network Extender (SNX) users

  Show / Hide instructions
  

  Gateway	Procedure
  Security Gateway	This procedure applies to main train Security Gateway. Connect with SmartDashboard to Security Management Server / Domain Management Server. Go to Policy menu - click on Global Properties. Expand Remote Access. Click on SSL Network Extender. In the Supported encryption methods field, change: from AES, 3DES, RC4 to AES, 3DES Click on OK to apply the changes. Save the changes: go to File menu - click on Save. Install the policy on all managed Security Gateways / Clusters.
  SMB appliances (600 / 700 / 1100 / 1200R / 1400)	This procedure applies to all Small Business & Branch Office appliances running Gaia Embedded OS R77.20 and above - 600 / 700 / 1100 / 1200R / 1400. Connect to Web GUI on the appliance. Go to Device tab. In the Advanced section, click on the Advanced Settings page. In the search field, enter RC4. Click on the VPN Remote Access - SNX support RC4 - click on the Edit button. Clear the box SNX support RC4. Click on the Apply button. Verify that the Value column now shows false.

  Related solutions:

  • sk116156 - "Cannot establish connection to SSL Network Extender gateway. Try to reconnect." error from SNX client on Mac OS X / macOS after disabling both RC4 and 3DES cipher suites on the Mobile Access Gateway
  
  
  

• Disabling RC4-including cipher suites for Gaia Portal

  Show / Hide instructions
  

  Version	Procedure
  R77.30	No steps are required.
  R77.20 on main train Security Gateway	Hotfix has to be installed on Security Gateway / Cluster members. Important Note about upgrade to R77.30: Upgrade from R77.20 with this hotfix to R77.30 will be aborted due to a fix conflict as this hotfix is not included in Check Point R77.30. Follow the instructions in sk107233. The required fix is already included in: Jumbo Hotfix Accumulator for R77.20 - since Take_138 Hotfix installation instructions: Hotfix installation for R77.20 Gaia OS using CPUSE Online installation In Gaia Portal: Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) pane - click on Status and Actions. Select the hotfix package R77.20 Hotfix for sk106478 (Check Point Response to CVE-2015-2808 (Bar Mitzvah)) - click on Install Update button on the toolbar. Reboot is required. In Gaia Clish: Connect to command line on Gaia OS. Log in to Clish. Acquire the lock over Gaia configuration database: HostName:0> lock database override Show the packages that are available for download: Note: Refer to the top section "Hotfixes" - refer to "R77.20 Hotfix for sk106478 ..." HostName:0> show installer packages available-for-download Verify that this package can be installed without conflicts: HostName:0> installer verify <Package_Number> Download the package from Check Point cloud: HostName:0> installer download <Package_Number> Install the downloaded package: HostName:0> installer install <Package_Number> Note: The progress (in per cent) will be displayed in Clish. Reboot is required. Offline installation Version Gaia - CPUSE Offline R77.20 (TGZ) Installation instructions: In Gaia Portal: Download the Gaia CPUSE Offline package from the table above. Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) pane - click on Status and Actions. On the toolbar, click on the More button - select Import Package - browse for the CPUSE Offline package (TGZ file) - click on Upload. Select the hotfix package R77.20 Hotfix for sk106478 (Check Point Response to CVE-2015-2808 (Bar Mitzvah)) - click on Install Update button on the toolbar. Reboot is required. In Gaia Clish: Install the latest build of CPUSE Agent from sk92449. Download the Gaia CPUSE Offline package from the table above. Transfer the downloaded Gaia CPUSE Offline package to the target Gaia machine (into some directory, e.g., /some_path_to_jumbo/). Connect to command line on target Gaia OS. Log in to Clish. Acquire the lock over Gaia configuration database: HostName:0> lock database override Import the package from the hard disk: Note: When import completes, this package is deleted from the original location. HostName:0> installer import local <Full_Path>/Check_Point_Hotfix_R77.20_sk106478.tgz Show the imported packages: Note: Refer to the top section "Hotfixes" - refer to "R77.20 Hotfix for sk106478 ..." HostName:0> show installer packages imported Verify that this package can be installed without conflicts: HostName:0> installer verify <Package_Number> Install the imported package: HostName:0> installer install <Package_Number> Reboot is required. Notes: For detailed installation instructions, refer to sk92449: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE". Make sure to take a snapshot of your Check Point machine before installing this hotfix. Hotfix has to be installed on all Check Point machines running R77.20 Gaia OS. In cluster environment, this procedure must be performed on all members of the cluster. In Management HA environment, this procedure must be performed on both Management Servers. Hotfix installation for R77.20 Gaia OS using Legacy CLI Version Gaia - Legacy CLI R77.20 (TGZ) Download the hotfix package from the table above, transfer the hotfix package to the machine and unpack it: [Expert@HostName]# tar -zxvf Check_Point_Hotfix_R77.20_Linux_sk106478.tgz Install the hotfix: [Expert@HostName]# ./UnixInstallScript Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen. Reboot is required. Notes: Make sure to take a snapshot of your Check Point machine before installing this hotfix. Hotfix has to be installed on all Check Point machines running R77.20 Gaia OS. In cluster environment, this procedure must be performed on all members of the cluster. In Management HA environment, this procedure must be performed on both Management Servers.
  R77.20 on SMB appliances (600 / 700 / 1100 / 1200R / 1400)	This procedure applies to all Small Business & Branch Office appliances running Gaia Embedded OS R77.20 and above - 600 / 700 / 1100 / 1200R / 1400. Connect to Web GUI on the appliance. Go to Device tab. In the Advanced section, click on the Advanced Settings page. In the search field, enter RC4. Click on the VPN Remote Access - SNX support RC4 - click on the Edit button. Clear the box SNX support RC4. Click on the Apply button. Verify that the Value column now shows false.
  R77.10 and lower on main train Security Gateway	The required fix is already included in: Jumbo Hotfix Accumulator for R77.10 - since Take_167 Jumbo Hotfix Accumulator for R76 - since Take_64 Jumbo Hotfix Accumulator for R75.47 - since Take_98 For other supported versions, Contact Check Point Support to get a Hotfix. A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix. For faster resolution and verification, please collect CPinfo files from the Security Management Server and Security Gateways involved in the case.

  
  
  

• Disabling RC4-including cipher suites for HTTPS Inspection, Mobile Access Portal, Identity Awareness Portal, ICA Portal, SmartManagement Portal, LDAP

  Show / Hide instructions
  

  Version	Procedure
  R77.30	Install the hotfix from sk106499 - Check Point response to CVE-2015-2808 (Bar Mitzvah) and OpenSSL CVE-2015-1789. The required fix is already included in: Jumbo Hotfix Accumulator for R77.30 - since Take_33 Disable RC4 cipher suites (after installing the required aforementioned hotfix). Show / Hide instructions for Security Management Server / Multi-Domain Security Management Server Note: In Management HA environment, this procedure must be performed on both Management Servers. Connect to command line. Log in to Expert mode. Add the new required parameter with value "1" to Check Point Registry: On Gaia OS: [Expert@HostName]# ckp_regedit -a SOFTWARE/CheckPoint/FW1 Get_Disable_RC4 1 On Windows OS: C:\> ckp_regedit -a SOFTWARE\CheckPoint\FW1 CPTLS_Disable_RC4 1 Show / Hide instructions for Security Gateway Note: In cluster environment, this procedure must be performed on all members of the cluster. Connect to command line. Log in to Expert mode. Add the new required parameter with value "1" to Check Point Registry: On Gaia OS: [Expert@HostName]# ckp_regedit -a SOFTWARE/CheckPoint/FW1 Get_Disable_RC4 1 On Windows OS: C:\> ckp_regedit -a SOFTWARE\CheckPoint\FW1 CPTLS_Disable_RC4 1 [Optional] To verify, start the debug of WSTLSD processes per sk105559. In SmartDashboard, install policy on this Security Gateway / Cluster. Alternatively, issue a command on Security Gateway to fetch the policy from its Security Management Server / Domain Management Server: [Expert@HostName:0]# fw fetch <IP_Address_of_Security_Management_Server> Stop the debug of WSTLSD processes per sk105559. Debug of WSTLSD processes during policy installation should show: [wstlsd PID ...]@HostName[Date Time] cptls_params::SelectCipherSuites: Disallowing RC4 ciphersuite: TLS_RSA_WITH _RC4_128_SHA - 0x5 [wstlsd PID ...]@HostName[Date Time] cptls_params::SelectCipherSuites: Disallowing RC4 ciphersuite: TLS_RSA_WITH _RC4_128_MD5 - 0x4 Show / Hide instructions for VSX Gateway Note: In VSX cluster environment, this procedure must be performed on all members of the VSX cluster. If you create a new Virtual System, then this procedure must be repeated for the new Virtual System. Connect to command line. Log in to Expert mode. Add the new required parameter with value "1" to Check Point Registry in the context of each Virtual System: Switch to the context of Virtual System: [Expert@HostName:0]# vsenv <VSID> Add the new required parameter with value "1" to Check Point Registry: [Expert@HostName:<VSID>]# ckp_regedit -a SOFTWARE/CheckPoint/FW1 Get_Disable_RC4 1 [Optional] To verify, start the debug of WSTLSD processes per sk105559. In SmartDashboard, install policy on this VSX Gateway / VSX cluster. Alternatively, issue a command on VSX Gateway to fetch the policy from its Security Management Server / Main Domain Management Server: [Expert@HostName:0]# vsenv 0 [Expert@HostName:0]# fw fetch <IP_Address_of_Main_Security_Management_Server> In SmartDashboard, install policy on each Virtual System. Alternatively, issue a command on VSX Gateway to fetch the policy from the corresponding Security Management Server / Target Domain Management Server: [Expert@HostName:0]# vsenv <VSID> [Expert@HostName:<VSID>]# fw fetch <IP_Address_of_Target_Security_Management_Server> Stop the debug of WSTLSD processes per sk105559. Debug of WSTLSD processes during policy installation should show: [wstlsd PID ...]@HostName[Date Time] cptls_params::SelectCipherSuites: Disallowing RC4 ciphersuite: TLS_RSA_WITH _RC4_128_SHA - 0x5 [wstlsd PID ...]@HostName[Date Time] cptls_params::SelectCipherSuites: Disallowing RC4 ciphersuite: TLS_RSA_WITH _RC4_128_MD5 - 0x4
  R77.20 on main train Security Gateway	Install the required hotfix on Security Gateway / Cluster members. Important Note about upgrade to R77.30: Upgrade from R77.20 with this hotfix to R77.30 will be aborted due to a fix conflict as this hotfix is not included in Check Point R77.30. Follow the instructions in sk107233. The required fix is already included in: Jumbo Hotfix Accumulator for R77.20 - since Take_138 Hotfix installation instructions: Hotfix installation for Gaia OS using CPUSE Online installation In Gaia Portal: Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) pane - click on Status and Actions. Select the hotfix package R77.20 Hotfix for sk106478 (Check Point Response to CVE-2015-2808 (Bar Mitzvah)) - click on Install Update button on the toolbar. Reboot is required. Follow these instructions to disable RC4 cipher suites on the machine. In Gaia Clish: Connect to command line on Gaia OS. Log in to Clish. Acquire the lock over Gaia configuration database: HostName:0> lock database override Show the packages that are available for download: Note: Refer to the top section "Hotfixes" - refer to "R77.20 Hotfix for sk106478 ..." HostName:0> show installer packages available-for-download Verify that this package can be installed without conflicts: HostName:0> installer verify <Package_Number> Download the package from Check Point cloud: HostName:0> installer download <Package_Number> Install the downloaded package: HostName:0> installer install <Package_Number> Note: The progress (in per cent) will be displayed in Clish. Reboot is required. Follow these instructions to disable RC4 cipher suites on the machine. Offline installation Version Gaia - CPUSE Offline R77.20 (TGZ) Installation instructions: In Gaia Portal: Download the Gaia CPUSE Offline package from the table above. Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) pane - click on Status and Actions. On the toolbar, click on the More button - select Import Package - browse for the CPUSE Offline package (TGZ file) - click on Upload. Select the hotfix package R77.20 Hotfix for sk106478 (Check Point Response to CVE-2015-2808 (Bar Mitzvah)) - click on Install Update button on the toolbar. Reboot is required. Follow these instructions to disable RC4 cipher suites on the machine. In Gaia Clish: Install the latest build of CPUSE Agent from sk92449. Download the Gaia CPUSE Offline package from the table above. Transfer the downloaded Gaia CPUSE Offline package to the target Gaia machine (into some directory, e.g., /some_path_to_jumbo/). Connect to command line on target Gaia OS. Log in to Clish. Acquire the lock over Gaia configuration database: HostName:0> lock database override Import the package from the hard disk: Note: When import completes, this package is deleted from the original location. HostName:0> installer import local <Full_Path>/Check_Point_Hotfix_R77.20_sk106478.tgz Show the imported packages: Note: Refer to the top section "Hotfixes" - refer to "R77.20 Hotfix for sk106478 ..." HostName:0> show installer packages imported Verify that this package can be installed without conflicts: HostName:0> installer verify <Package_Number> Install the imported package: HostName:0> installer install <Package_Number> Reboot is required. Follow these instructions to disable RC4 cipher suites on the machine. Notes: For detailed installation instructions, refer to sk92449: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE". Make sure to take a snapshot of your Check Point machine before installing this hotfix. Hotfix has to be installed on all Check Point machines running R77.20 Gaia OS. In cluster environment, this procedure must be performed on all members of the cluster. In Management HA environment, this procedure must be performed on both Management Servers. Hotfix installation for Gaia OS using Legacy CLI, SecurePlatform OS, and Linux OS Version Gaia - Legacy CLI, SecurePlatform, Linux R77.20 (TGZ) Download the hotfix package from the table above, transfer the hotfix package to the machine and unpack it: [Expert@HostName]# tar -zxvf Check_Point_Hotfix_R77.20_Linux_sk106478.tgz Install the hotfix: [Expert@HostName]# ./UnixInstallScript Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen. Reboot is required. Follow these instructions to disable RC4 cipher suites on the machine. Notes: On Gaia OS and SecurePlatform OS: Make sure to take a snapshot of your Check Point machine before installing this hotfix. Hotfix has to be installed on all Check Point machines running R77.20 on SecurePlatform OS / Linux OS. In cluster environment, this procedure must be performed on all members of the cluster. In Management HA environment, this procedure must be performed on both Management Servers. Hotfix installation for IPSO OS Version IPSO R77.20 (TGZ) Download the hotfix package from the table above, transfer the hotfix package to the machine and unpack it: [admin]# tar -zxvf Check_Point_Hotfix_R77.20_IPSO_sk106478.tgz Install the hotfix: [admin]# ./UnixInstallScript Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen. Reboot is required. Follow these instructions to disable RC4 cipher suites on the machine. Notes: Hotfix has to be installed on all Check Point machines running R77.20 on IPSO OS. In cluster environment, this procedure must be performed on all members of the cluster. In Management HA environment, this procedure must be performed on both Management Servers. Hotfix installation for Windows OS Version Windows R77.20 (TGZ) Download the hotfix package from the table above, transfer the hotfix package to the machine. Use archive program (e.g., WinZIP, WinRAR, 7-Zip, IZArc, etc.) to unpack Check_Point_Hotfix_R77.20_Win_sk106478.tgz. Go into hotfixes folder. Go into fw1_wrapper_R77_20 folder. Use archive program (e.g., WinZIP, WinRAR, 7-Zip, IZArc, etc.) to unpack fw1_wrapper_R77_20_W.tgz. Go into Disk_Images folder. Go into Disk1 folder. Install the hotfix: Right-click on the setup.exe - click on Run as administrator Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen. Reboot is required. Follow these instructions to disable RC4 cipher suites on the machine. Notes: Hotfix has to be installed on all Check Point machines running R77.20 on Windows OS. In cluster environment, this procedure must be performed on all members of the cluster. In Management HA environment, this procedure must be performed on both Management Servers. Disable RC4 cipher suites (after installing the required hotfix provided above). Show / Hide instructions for Security Management Server / Multi-Domain Security Management Server Note: In Management HA environment, this procedure must be performed on both Management Servers. Connect to command line. Log in to Expert mode. Add the new required parameter with value "1" to Check Point Registry: On Gaia OS R77.20 with hotfix 'gollum_hf_base_385': [Expert@HostName]# ckp_regedit -a SOFTWARE/CheckPoint/FW1 Get_Disable_RC4 1 On Gaia OS / SecurePlatform OS / IPSO OS versions R77.20 and below: [Expert@HostName]# ckp_regedit -a SOFTWARE/CheckPoint/FW1 CPTLS_Disable_RC4 1 On Windows OS: C:\> ckp_regedit -a SOFTWARE\CheckPoint\FW1 CPTLS_Disable_RC4 1 Show / Hide instructions for Security Gateway Note: In cluster environment, this procedure must be performed on all members of the cluster. Connect to command line. Log in to Expert mode. Add the new required parameter with value "1" to Check Point Registry: On Gaia OS R77.20 with hotfix 'gollum_hf_base_385': [Expert@HostName]# ckp_regedit -a SOFTWARE/CheckPoint/FW1 Get_Disable_RC4 1 On Gaia OS / SecurePlatform OS / IPSO OS versions R77.20 and below: [Expert@HostName]# ckp_regedit -a SOFTWARE/CheckPoint/FW1 CPTLS_Disable_RC4 1 On Windows OS: C:\> ckp_regedit -a SOFTWARE\CheckPoint\FW1 CPTLS_Disable_RC4 1 [Optional] To verify, start the debug of WSTLSD processes per sk105559. In SmartDashboard, install policy on this Security Gateway / Cluster. Alternatively, issue a command on Security Gateway to fetch the policy from its Security Management Server / Domain Management Server: [Expert@HostName:0]# fw fetch <IP_Address_of_Security_Management_Server> Stop the debug of WSTLSD processes per sk105559. Debug of WSTLSD processes during policy installation should show: [wstlsd PID ...]@HostName[Date Time] cptls_params::SelectCipherSuites: Disallowing RC4 ciphersuite: TLS_RSA_WITH _RC4_128_SHA - 0x5 [wstlsd PID ...]@HostName[Date Time] cptls_params::SelectCipherSuites: Disallowing RC4 ciphersuite: TLS_RSA_WITH _RC4_128_MD5 - 0x4 Show / Hide instructions for VSX Gateway Note: In VSX cluster environment, this procedure must be performed on all members of the VSX cluster. If you create a new Virtual System, then this procedure must be repeated for the new Virtual System. Connect to command line. Log in to Expert mode. Add the new required parameter with value "1" to Check Point Registry in the context of each Virtual System: Switch to the context of Virtual System: [Expert@HostName:0]# vsenv <VSID> Add the new required parameter with value "1" to Check Point Registry: On Gaia OS R77.20 with hotfix 'gollum_hf_base_385': [Expert@HostName:<VSID>]# ckp_regedit -a SOFTWARE/CheckPoint/FW1 Get_Disable_RC4 1 On Gaia OS versions R77.20 and below: [Expert@HostName:<VSID>]# ckp_regedit -a SOFTWARE/CheckPoint/FW1 CPTLS_Disable_RC4 1 [Optional] To verify, start the debug of WSTLSD processes per sk105559. In SmartDashboard, install policy on this VSX Gateway / VSX cluster. Alternatively, issue a command on VSX Gateway to fetch the policy from its Security Management Server / Main Domain Management Server: [Expert@HostName:0]# vsenv 0 [Expert@HostName:0]# fw fetch <IP_Address_of_Main_Security_Management_Server> In SmartDashboard, install policy on each Virtual System. Alternatively, issue a command on VSX Gateway to fetch the policy from the corresponding Security Management Server / Target Domain Management Server: [Expert@HostName:0]# vsenv <VSID> [Expert@HostName:<VSID>]# fw fetch <IP_Address_of_Target_Security_Management_Server> Stop the debug of WSTLSD processes per sk105559. Debug of WSTLSD processes during policy installation should show: [wstlsd PID ...]@HostName[Date Time] cptls_params::SelectCipherSuites: Disallowing RC4 ciphersuite: TLS_RSA_WITH _RC4_128_SHA - 0x5 [wstlsd PID ...]@HostName[Date Time] cptls_params::SelectCipherSuites: Disallowing RC4 ciphersuite: TLS_RSA_WITH _RC4_128_MD5 - 0x4
  R77.20 on SMB appliances (600 / 700 / 1100 / 1200R / 1400)	This applies to all Small Business & Branch Office appliances running Gaia Embedded OS R77.20 and above - 600 / 700 / 1100 / 1200R / 1400. The required fix is already included since: R77.20.10 for 600 / 1100 / 1200R appliances
  R77.10 and lower on main train Security Gateway	The required fix is already included in: Jumbo Hotfix Accumulator for R77.10 - since Take_167 Jumbo Hotfix Accumulator for R76 - since Take_64 Jumbo Hotfix Accumulator for R75.47 - since Take_98 For other supported versions, Contact Check Point Support to get a Hotfix. A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix. For faster resolution and verification, please collect CPinfo files from the Security Management Server and Security Gateways involved in the case.

  
  
  

• Disabling RC4-including cipher suites for IPSO Voyager with SSL enabled

  Show / Hide instructions
  

  Note: This fix is already integrated into IPSO 6.2 MR5 (Build GA100) image. For lower IPSO 6.2 versions, improved mages with disabled RC4-including cipher suites are available. If you are not able to install these images, then apply the workaround described below.

  • Improved IPSO images

    This procedure applies to both Disk-based and Flash-based IP appliances.

    1. Download the relevant IPSO image to your Windows computer. Unpack the ZIP file. Copy the IPSO image to an FTP server or to the appliance to be upgraded.

       IPSO	Build	Link
       IPSO 6.2	MR4a2	(ZIP)
       	MR3a3	(ZIP)
       	MR2a	(ZIP)

    2. Login as admin, and make sure that you are in /var/emhome/admin directory (run 'pwd' command).

    3. Run newimage -ik
       Note: If you add a new version of IPSO by using the newimage command and the "-k" (keep) option, your previous packages are active with the new IPSO version.

    4. Specify where the IPSO image is located (ipso-6.2.tgz), selecting one of the following options:
       Install from FTP server with user and password (You will be prompted for FTP server location and credentials)
       or
       Install from local filesystem (You will be prompted for pathname to the packages, or enter "." for the current directory).

    5. Enter the name of the IPSO package (ipso-6.2.tgz), and press 'Enter'.

    6. After the upgrade process completes, choose the image to run:
       Choose 'Newly Installed' image.

    7. Reboot the machine by typing reboot at the prompt.

    8. Verify the current image.

       Type uname -a.

       The output will contain the following strings:
       IPSO 6.2 MR4a2: 6.2-GAMR4A207
       IPSO 6.2 MR3a3: 6.2-GAMR3A306
       IPSO 6.2 MR2a: 6.2-GAMR2A06
    
    
    

  • Workaround

    Note: If you installed an improved IPSO image, then you do not need to apply this workaround.

    This procedure applies to both Disk-based and Flash-based IP appliances. This workaround needs to be applied after enabling SSL.

    1. Connect to command line on the involved machine.

    2. Open Clish:

       [root@HostName ~]# clish

    3. Check the current SSL setting:

       IPSO:N> show voyager ssl-level

       • If this command returns "VoyagerSSLLevel 0", then SSL is not used and IPSO Voyager is not vulnerable.

       • If this command returns any value other than "0" (zero), then proceed to the next step.

    4. Disable the weak "RC4" cipher:

       Note: This will also disable the weak "export" ciphers.

       IPSO:N> set voyager ssl-level 168
       IPSO:N> save config

    5. Verify your configuration:

       IPSO:N> show voyager ssl-level

       The output should show "VoyagerSSLLevel 168"

 

Related solutions:

• sk93395 - How to disable RC4-SHA cipher for Gaia Portal
• sk104095 - RC4 cipher is allowed for Inbound HTTPS inspection
• sk107233 - Upgrade from R77.20 to R77.30 fails due to conflict with hotfix "R77_20_HF9" (Bar Mitzvah)
• sk92447 - Status of OpenSSL CVEs