Vulnerability scan shows that Check Point Products are vulnerable to CVE-2015-2808 - SSL RC4 Cipher Suites are supported.
Vulnerability scan shows that Check Point Products are vulnerable to CVE-2017-3731 - SSL RC4 Cipher Suites are supported.
Cause
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, a.k.a. the "Bar Mitzvah" issue.
Solution
Background
This attack (CVE-2015-2808), called "Bar Mitzvah", allows an attacker to extract the plaintext of the initial bytes of an RC4 encryption stream.
As RC4 does not properly combine state data with key data during its initialization phase, it makes it easier conduct plaintext-recovery attacks against the initial bytes of a stream by:
Sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness.
Using a brute-force approach involving LSB values, a.k.a. the "Bar Mitzvah" attack.
Hotfix has to be installed on Security Gateway / Cluster members.
Important Note about upgrade to R77.30: Upgrade from R77.20 with this hotfix to R77.30 will be aborted due to a fix conflict as this hotfix is not included in Check Point R77.30. Follow the instructions in sk107233.
Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) pane - click on Status and Actions.
Select the hotfix package R77.20 Hotfix for sk106478 (Check Point Response to CVE-2015-2808 (Bar Mitzvah)) - click on Install Update button on the toolbar.
Reboot is required.
In Gaia Clish:
Connect to command line on Gaia OS.
Log in to Clish.
Acquire the lock over Gaia configuration database: HostName:0> lock database override
Show the packages that are available for download: Note: Refer to the top section "Hotfixes" - refer to "R77.20 Hotfix for sk106478 ..." HostName:0> show installer packages available-for-download
Verify that this package can be installed without conflicts: HostName:0> installer verify <Package_Number>
Download the package from Check Point cloud: HostName:0> installer download <Package_Number>
Install the downloaded package: HostName:0> installer install <Package_Number> Note: The progress (in per cent) will be displayed in Clish.
Reboot is required.
Offline installation
Version
Gaia - CPUSE Offline
R77.20
(TGZ)
Installation instructions:
In Gaia Portal:
Download the Gaia CPUSE Offline package from the table above.
Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) pane - click on Status and Actions.
On the toolbar, click on the More button - select Import Package - browse for the CPUSE Offline package (TGZ file) - click on Upload.
Select the hotfix package R77.20 Hotfix for sk106478 (Check Point Response to CVE-2015-2808 (Bar Mitzvah)) - click on Install Update button on the toolbar.
Reboot is required.
In Gaia Clish:
Install the latest build of CPUSE Agent from sk92449.
Download the Gaia CPUSE Offline package from the table above.
Transfer the downloaded Gaia CPUSE Offline package to the target Gaia machine (into some directory, e.g., /some_path_to_jumbo/).
Connect to command line on target Gaia OS.
Log in to Clish.
Acquire the lock over Gaia configuration database: HostName:0> lock database override
Import the package from the hard disk: Note: When import completes, this package is deleted from the original location. HostName:0> installer import local <Full_Path>/Check_Point_Hotfix_R77.20_sk106478.tgz
Show the imported packages: Note: Refer to the top section "Hotfixes" - refer to "R77.20 Hotfix for sk106478 ..." HostName:0> show installer packages imported
Verify that this package can be installed without conflicts: HostName:0> installer verify <Package_Number>
Install the imported package: HostName:0> installer install <Package_Number>
Download the hotfix package from the table above, transfer the hotfix package to the machine and unpack it: [Expert@HostName]# tar -zxvf Check_Point_Hotfix_R77.20_Linux_sk106478.tgz
Install the hotfix: [Expert@HostName]# ./UnixInstallScript Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
Reboot is required.
Notes:
Make sure to take a snapshot of your Check Point machine before installing this hotfix.
Hotfix has to be installed on all Check Point machines running R77.20 Gaia OS.
In cluster environment, this procedure must be performed on all members of the cluster.
In Management HA environment, this procedure must be performed on both Management Servers.
For other supported versions, Contact Check Point Support to get a Hotfix. A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix. For faster resolution and verification, please collect CPinfo files from the Security Management Server and Security Gateways involved in the case.
Disabling RC4-including cipher suites for HTTPS Inspection, Mobile Access Portal, Identity Awareness Portal, ICA Portal, SmartManagement Portal, LDAP
Note: In cluster environment, this procedure must be performed on all members of the cluster.
Connect to command line.
Log in to Expert mode.
Add the new required parameter with value "1" to Check Point Registry:
On Gaia OS:
[Expert@HostName]# ckp_regedit -a SOFTWARE/CheckPoint/FW1 Get_Disable_RC4 1
On Windows OS:
C:\> ckp_regedit -a SOFTWARE\CheckPoint\FW1 CPTLS_Disable_RC4 1
[Optional] To verify, start the debug of WSTLSD processes per sk105559.
In SmartDashboard, install policy on this Security Gateway / Cluster.
Alternatively, issue a command on Security Gateway to fetch the policy from its Security Management Server / Domain Management Server: [Expert@HostName:0]# fw fetch <IP_Address_of_Security_Management_Server>
Note: In VSX cluster environment, this procedure must be performed on all members of the VSX cluster. If you create a new Virtual System, then this procedure must be repeated for the new Virtual System.
Connect to command line.
Log in to Expert mode.
Add the new required parameter with value "1" to Check Point Registry in the context of each Virtual System:
Switch to the context of Virtual System:
[Expert@HostName:0]# vsenv <VSID>
Add the new required parameter with value "1" to Check Point Registry:
[Expert@HostName:<VSID>]# ckp_regedit -a SOFTWARE/CheckPoint/FW1 Get_Disable_RC4 1
[Optional] To verify, start the debug of WSTLSD processes per sk105559.
In SmartDashboard, install policy on this VSX Gateway / VSX cluster.
Alternatively, issue a command on VSX Gateway to fetch the policy from its Security Management Server / Main Domain Management Server: [Expert@HostName:0]# vsenv 0 [Expert@HostName:0]# fw fetch <IP_Address_of_Main_Security_Management_Server>
In SmartDashboard, install policy on each Virtual System.
Alternatively, issue a command on VSX Gateway to fetch the policy from the corresponding Security Management Server / Target Domain Management Server: [Expert@HostName:0]# vsenv <VSID> [Expert@HostName:<VSID>]# fw fetch <IP_Address_of_Target_Security_Management_Server>
Install the required hotfix on Security Gateway / Cluster members.
Important Note about upgrade to R77.30: Upgrade from R77.20 with this hotfix to R77.30 will be aborted due to a fix conflict as this hotfix is not included in Check Point R77.30. Follow the instructions in sk107233.
Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) pane - click on Status and Actions.
Select the hotfix package R77.20 Hotfix for sk106478 (Check Point Response to CVE-2015-2808 (Bar Mitzvah)) - click on Install Update button on the toolbar.
Reboot is required.
Follow these instructions to disable RC4 cipher suites on the machine.
In Gaia Clish:
Connect to command line on Gaia OS.
Log in to Clish.
Acquire the lock over Gaia configuration database: HostName:0> lock database override
Show the packages that are available for download: Note: Refer to the top section "Hotfixes" - refer to "R77.20 Hotfix for sk106478 ..." HostName:0> show installer packages available-for-download
Verify that this package can be installed without conflicts: HostName:0> installer verify <Package_Number>
Download the package from Check Point cloud: HostName:0> installer download <Package_Number>
Install the downloaded package: HostName:0> installer install <Package_Number> Note: The progress (in per cent) will be displayed in Clish.
Reboot is required.
Follow these instructions to disable RC4 cipher suites on the machine.
Offline installation
Version
Gaia - CPUSE Offline
R77.20
(TGZ)
Installation instructions:
In Gaia Portal:
Download the Gaia CPUSE Offline package from the table above.
Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) pane - click on Status and Actions.
On the toolbar, click on the More button - select Import Package - browse for the CPUSE Offline package (TGZ file) - click on Upload.
Select the hotfix package R77.20 Hotfix for sk106478 (Check Point Response to CVE-2015-2808 (Bar Mitzvah)) - click on Install Update button on the toolbar.
Reboot is required.
Follow these instructions to disable RC4 cipher suites on the machine.
In Gaia Clish:
Install the latest build of CPUSE Agent from sk92449.
Download the Gaia CPUSE Offline package from the table above.
Transfer the downloaded Gaia CPUSE Offline package to the target Gaia machine (into some directory, e.g., /some_path_to_jumbo/).
Connect to command line on target Gaia OS.
Log in to Clish.
Acquire the lock over Gaia configuration database: HostName:0> lock database override
Import the package from the hard disk: Note: When import completes, this package is deleted from the original location. HostName:0> installer import local <Full_Path>/Check_Point_Hotfix_R77.20_sk106478.tgz
Show the imported packages: Note: Refer to the top section "Hotfixes" - refer to "R77.20 Hotfix for sk106478 ..." HostName:0> show installer packages imported
Verify that this package can be installed without conflicts: HostName:0> installer verify <Package_Number>
Install the imported package: HostName:0> installer install <Package_Number>
Reboot is required.
Follow these instructions to disable RC4 cipher suites on the machine.
Download the hotfix package from the table above, transfer the hotfix package to the machine and unpack it: [Expert@HostName]# tar -zxvf Check_Point_Hotfix_R77.20_Linux_sk106478.tgz
Install the hotfix: [Expert@HostName]# ./UnixInstallScript Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
Reboot is required.
Follow these instructions to disable RC4 cipher suites on the machine.
Notes:
On Gaia OS and SecurePlatform OS: Make sure to take a snapshot of your Check Point machine before installing this hotfix.
Hotfix has to be installed on all Check Point machines running R77.20 on SecurePlatform OS / Linux OS.
In cluster environment, this procedure must be performed on all members of the cluster.
In Management HA environment, this procedure must be performed on both Management Servers.
Download the hotfix package from the table above, transfer the hotfix package to the machine and unpack it: [admin]# tar -zxvf Check_Point_Hotfix_R77.20_IPSO_sk106478.tgz
Install the hotfix: [admin]# ./UnixInstallScript Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
Reboot is required.
Follow these instructions to disable RC4 cipher suites on the machine.
Notes:
Hotfix has to be installed on all Check Point machines running R77.20 on IPSO OS.
In cluster environment, this procedure must be performed on all members of the cluster.
In Management HA environment, this procedure must be performed on both Management Servers.
Download the hotfix package from the table above, transfer the hotfix package to the machine.
Use archive program (e.g., WinZIP, WinRAR, 7-Zip, IZArc, etc.) to unpack Check_Point_Hotfix_R77.20_Win_sk106478.tgz.
Go into hotfixes folder.
Go into fw1_wrapper_R77_20 folder.
Use archive program (e.g., WinZIP, WinRAR, 7-Zip, IZArc, etc.) to unpack fw1_wrapper_R77_20_W.tgz.
Go into Disk_Images folder.
Go into Disk1 folder.
Install the hotfix: Right-click on the setup.exe - click on Run as administrator Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
Reboot is required.
Follow these instructions to disable RC4 cipher suites on the machine.
Notes:
Hotfix has to be installed on all Check Point machines running R77.20 on Windows OS.
In cluster environment, this procedure must be performed on all members of the cluster.
In Management HA environment, this procedure must be performed on both Management Servers.
Note: In cluster environment, this procedure must be performed on all members of the cluster.
Connect to command line.
Log in to Expert mode.
Add the new required parameter with value "1" to Check Point Registry:
On Gaia OS R77.20 with hotfix 'gollum_hf_base_385':
[Expert@HostName]# ckp_regedit -a SOFTWARE/CheckPoint/FW1 Get_Disable_RC4 1
On Gaia OS / SecurePlatform OS / IPSO OS versions R77.20 and below:
[Expert@HostName]# ckp_regedit -a SOFTWARE/CheckPoint/FW1 CPTLS_Disable_RC4 1
On Windows OS:
C:\> ckp_regedit -a SOFTWARE\CheckPoint\FW1 CPTLS_Disable_RC4 1
[Optional] To verify, start the debug of WSTLSD processes per sk105559.
In SmartDashboard, install policy on this Security Gateway / Cluster.
Alternatively, issue a command on Security Gateway to fetch the policy from its Security Management Server / Domain Management Server: [Expert@HostName:0]# fw fetch <IP_Address_of_Security_Management_Server>
Note: In VSX cluster environment, this procedure must be performed on all members of the VSX cluster. If you create a new Virtual System, then this procedure must be repeated for the new Virtual System.
Connect to command line.
Log in to Expert mode.
Add the new required parameter with value "1" to Check Point Registry in the context of each Virtual System:
Switch to the context of Virtual System:
[Expert@HostName:0]# vsenv <VSID>
Add the new required parameter with value "1" to Check Point Registry:
On Gaia OS R77.20 with hotfix 'gollum_hf_base_385':
[Expert@HostName:<VSID>]# ckp_regedit -a SOFTWARE/CheckPoint/FW1 Get_Disable_RC4 1
On Gaia OS versions R77.20 and below:
[Expert@HostName:<VSID>]# ckp_regedit -a SOFTWARE/CheckPoint/FW1 CPTLS_Disable_RC4 1
[Optional] To verify, start the debug of WSTLSD processes per sk105559.
In SmartDashboard, install policy on this VSX Gateway / VSX cluster.
Alternatively, issue a command on VSX Gateway to fetch the policy from its Security Management Server / Main Domain Management Server: [Expert@HostName:0]# vsenv 0 [Expert@HostName:0]# fw fetch <IP_Address_of_Main_Security_Management_Server>
In SmartDashboard, install policy on each Virtual System.
Alternatively, issue a command on VSX Gateway to fetch the policy from the corresponding Security Management Server / Target Domain Management Server: [Expert@HostName:0]# vsenv <VSID> [Expert@HostName:<VSID>]# fw fetch <IP_Address_of_Target_Security_Management_Server>
For other supported versions, Contact Check Point Support to get a Hotfix. A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix. For faster resolution and verification, please collect CPinfo files from the Security Management Server and Security Gateways involved in the case.
Disabling RC4-including cipher suites for IPSO Voyager with SSL enabled
Note: This fix is already integrated into IPSO 6.2 MR5 (Build GA100) image. For lower IPSO 6.2 versions, improved mages with disabled RC4-including cipher suites are available. If you are not able to install these images, then apply the workaround described below.
Improved IPSO images
This procedure applies to both Disk-based and Flash-based IP appliances.
Download the relevant IPSO image to your Windows computer. Unpack the ZIP file. Copy the IPSO image to an FTP server or to the appliance to be upgraded.
IPSO
Build
Link
IPSO 6.2
MR4a2
(ZIP)
MR3a3
(ZIP)
MR2a
(ZIP)
Login as admin, and make sure that you are in /var/emhome/admin directory (run 'pwd' command).
Run newimage -ik Note: If you add a new version of IPSO by using the newimage command and the "-k" (keep) option, your previous packages are active with the new IPSO version.
Specify where the IPSO image is located (ipso-6.2.tgz), selecting one of the following options: Install from FTP server with user and password (You will be prompted for FTP server location and credentials) or Install from local filesystem (You will be prompted for pathname to the packages, or enter "." for the current directory).
Enter the name of the IPSO package (ipso-6.2.tgz), and press 'Enter'.
After the upgrade process completes, choose the image to run: Choose 'Newly Installed' image.
Reboot the machine by typing reboot at the prompt.
Verify the current image.
Type uname -a.
The output will contain the following strings: IPSO 6.2 MR4a2: 6.2-GAMR4A207 IPSO 6.2 MR3a3: 6.2-GAMR3A306 IPSO 6.2 MR2a: 6.2-GAMR2A06
Workaround
Note: If you installed an improved IPSO image, then you do not need to apply this workaround.
This procedure applies to both Disk-based and Flash-based IP appliances. This workaround needs to be applied after enabling SSL.
Connect to command line on the involved machine.
Open Clish:
[root@HostName ~]# clish
Check the current SSL setting:
IPSO:N> show voyager ssl-level
If this command returns "VoyagerSSLLevel 0", then SSL is not used and IPSO Voyager is not vulnerable.
If this command returns any value other than "0" (zero), then proceed to the next step.
Disable the weak "RC4" cipher:
Note: This will also disable the weak "export" ciphers.
IPSO:N> set voyager ssl-level 168 IPSO:N> save config