Support Center > Search Results > SecureKnowledge Details
Check Point response to CVE-2015-2808 (Bar Mitzvah)
Symptoms
  • Vulnerability scan shows that Check Point Products are vulnerable to CVE-2015-2808 - SSL RC4 Cipher Suites are supported.

  • Vulnerability scan shows that Check Point Products are vulnerable to CVE-2017-3731 - SSL RC4 Cipher Suites are supported.

Cause

The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, a.k.a. the "Bar Mitzvah" issue.


Solution

Background

 

Statement

  1. Check Point products are not vulnerable to the "Bar Mitzvah" attack, with the following exceptions:
    • Products which use TLS that supports cipher suite with RC4.
  2. Disabling support for cipher suites that include RC4 usage in TLS mitigates this attack.

 

How to disable support for cipher suites that include RC4

Click Here to Show the Entire Article

 

  • Disabling RC4-including cipher suites for SSL Network Extender (SNX) users

    Show / Hide instructions
    Gateway Procedure
    Security Gateway

    This procedure applies to main train Security Gateway.

    1. Connect with SmartDashboard to Security Management Server / Domain Management Server.

    2. Go to Policy menu - click on Global Properties.

    3. Expand Remote Access.

    4. Click on SSL Network Extender.

    5. In the Supported encryption methods field, change:

      from
      AES, 3DES, RC4
      to
      AES, 3DES

    6. Click on OK to apply the changes.

    7. Save the changes: go to File menu - click on Save.

    8. Install the policy on all managed Security Gateways / Clusters.

    SMB appliances

    (600 / 700 / 1100 /
    1200R / 1400)

    This procedure applies to all Small Business & Branch Office appliances running Gaia Embedded OS R77.20 and above - 600 / 700 / 1100 / 1200R / 1400.

    1. Connect to Web GUI on the appliance.

    2. Go to Device tab.

    3. In the Advanced section, click on the Advanced Settings page.

    4. In the search field, enter RC4.

    5. Click on the VPN Remote Access - SNX support RC4 - click on the Edit button.

    6. Clear the box SNX support RC4.

    7. Click on the Apply button.

    8. Verify that the Value column now shows false.

    Related solutions:



  • Disabling RC4-including cipher suites for Gaia Portal

    Show / Hide instructions
    Version Procedure
    R77.30 No steps are required.
    R77.20
    on main train
    Security Gateway

    Hotfix has to be installed on Security Gateway / Cluster members.

    Important Note about upgrade to R77.30: Upgrade from R77.20 with this hotfix to R77.30 will be aborted due to a fix conflict as this hotfix is not included in Check Point R77.30. Follow the instructions in sk107233.

    The required fix is already included in:

    Hotfix installation instructions:

    • Hotfix installation for R77.20 Gaia OS using CPUSE
      • Online installation

        • In Gaia Portal:

          1. Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) pane - click on Status and Actions.
          2. Select the hotfix package R77.20 Hotfix for sk106478 (Check Point Response to CVE-2015-2808 (Bar Mitzvah)) - click on Install Update button on the toolbar.
          3. Reboot is required.
        • In Gaia Clish:

          1. Connect to command line on Gaia OS.
          2. Log in to Clish.
          3. Acquire the lock over Gaia configuration database:
            HostName:0> lock database override
          4. Show the packages that are available for download:
            Note: Refer to the top section "Hotfixes" - refer to "R77.20 Hotfix for sk106478 ..."
            HostName:0> show installer packages available-for-download
          5. Verify that this package can be installed without conflicts:
            HostName:0> installer verify <Package_Number>
          6. Download the package from Check Point cloud:
            HostName:0> installer download <Package_Number>
          7. Install the downloaded package:
            HostName:0> installer install <Package_Number>
            Note: The progress (in per cent) will be displayed in Clish.
          8. Reboot is required.
      • Offline installation

        Version Gaia - CPUSE
        Offline
        R77.20 (TGZ)

        Installation instructions:

        • In Gaia Portal:

          1. Download the Gaia CPUSE Offline package from the table above.
          2. Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) pane - click on Status and Actions.
          3. On the toolbar, click on the More button - select Import Package - browse for the CPUSE Offline package (TGZ file) - click on Upload.
          4. Select the hotfix package R77.20 Hotfix for sk106478 (Check Point Response to CVE-2015-2808 (Bar Mitzvah)) - click on Install Update button on the toolbar.
          5. Reboot is required.
        • In Gaia Clish:

          1. Install the latest build of CPUSE Agent from sk92449.
          2. Download the Gaia CPUSE Offline package from the table above.
          3. Transfer the downloaded Gaia CPUSE Offline package to the target Gaia machine (into some directory, e.g., /some_path_to_jumbo/).
          4. Connect to command line on target Gaia OS.
          5. Log in to Clish.
          6. Acquire the lock over Gaia configuration database:
            HostName:0> lock database override
          7. Import the package from the hard disk:
            Note: When import completes, this package is deleted from the original location.
            HostName:0> installer import local <Full_Path>/Check_Point_Hotfix_R77.20_sk106478.tgz
          8. Show the imported packages:
            Note: Refer to the top section "Hotfixes" - refer to "R77.20 Hotfix for sk106478 ..."
            HostName:0> show installer packages imported
          9. Verify that this package can be installed without conflicts:
            HostName:0> installer verify <Package_Number>
          10. Install the imported package:
            HostName:0> installer install <Package_Number>
          11. Reboot is required.

      Notes:

      • For detailed installation instructions, refer to sk92449: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE".
      • Make sure to take a snapshot of your Check Point machine before installing this hotfix.
      • Hotfix has to be installed on all Check Point machines running R77.20 Gaia OS.
      • In cluster environment, this procedure must be performed on all members of the cluster.
      • In Management HA environment, this procedure must be performed on both Management Servers.


    • Hotfix installation for R77.20 Gaia OS using Legacy CLI
      Version Gaia - Legacy
      CLI
      R77.20 (TGZ)

      1. Download the hotfix package from the table above, transfer the hotfix package to the machine and unpack it:
        [Expert@HostName]# tar -zxvf Check_Point_Hotfix_R77.20_Linux_sk106478.tgz
      2. Install the hotfix:
        [Expert@HostName]# ./UnixInstallScript
        Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
      3. Reboot is required.

      Notes:

      • Make sure to take a snapshot of your Check Point machine before installing this hotfix.
      • Hotfix has to be installed on all Check Point machines running R77.20 Gaia OS.
      • In cluster environment, this procedure must be performed on all members of the cluster.
      • In Management HA environment, this procedure must be performed on both Management Servers.
    R77.20
    on SMB appliances
    (600 / 700 / 1100 /
    1200R / 1400)

    This procedure applies to all Small Business & Branch Office appliances running Gaia Embedded OS R77.20 and above - 600 / 700 / 1100 / 1200R / 1400.

    1. Connect to Web GUI on the appliance.

    2. Go to Device tab.

    3. In the Advanced section, click on the Advanced Settings page.

    4. In the search field, enter RC4.

    5. Click on the VPN Remote Access - SNX support RC4 - click on the Edit button.

    6. Clear the box SNX support RC4.

    7. Click on the Apply button.

    8. Verify that the Value column now shows false.

    R77.10
    and lower
    on main train
    Security Gateway

    The required fix is already included in:

    For other supported versions, Contact Check Point Support to get a Hotfix.
    A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
    For faster resolution and verification, please collect CPinfo files from the Security Management Server and Security Gateways involved in the case.



  • Disabling RC4-including cipher suites for HTTPS Inspection, Mobile Access Portal, Identity Awareness Portal, ICA Portal, SmartManagement Portal, LDAP

    Show / Hide instructions
    Version Procedure
    R77.30
    1. Install the hotfix from sk106499 - Check Point response to CVE-2015-2808 (Bar Mitzvah) and OpenSSL CVE-2015-1789.

      The required fix is already included in:

    2. Disable RC4 cipher suites (after installing the required aforementioned hotfix).

      • Show / Hide instructions for Security Management Server / Multi-Domain Security Management Server

        Note: In Management HA environment, this procedure must be performed on both Management Servers.

        1. Connect to command line.

        2. Log in to Expert mode.

        3. Add the new required parameter with value "1" to Check Point Registry:

          • On Gaia OS:

            [Expert@HostName]# ckp_regedit -a SOFTWARE/CheckPoint/FW1 Get_Disable_RC4 1

          • On Windows OS:

            C:\> ckp_regedit -a SOFTWARE\CheckPoint\FW1 CPTLS_Disable_RC4 1


      • Show / Hide instructions for Security Gateway

        Note: In cluster environment, this procedure must be performed on all members of the cluster.

        1. Connect to command line.

        2. Log in to Expert mode.

        3. Add the new required parameter with value "1" to Check Point Registry:

          • On Gaia OS:

            [Expert@HostName]# ckp_regedit -a SOFTWARE/CheckPoint/FW1 Get_Disable_RC4 1

          • On Windows OS:

            C:\> ckp_regedit -a SOFTWARE\CheckPoint\FW1 CPTLS_Disable_RC4 1
        4. [Optional] To verify, start the debug of WSTLSD processes per sk105559.

        5. In SmartDashboard, install policy on this Security Gateway / Cluster.

          Alternatively, issue a command on Security Gateway to fetch the policy from its Security Management Server / Domain Management Server:
          [Expert@HostName:0]# fw fetch <IP_Address_of_Security_Management_Server>
        6. Stop the debug of WSTLSD processes per sk105559.

        7. Debug of WSTLSD processes during policy installation should show:

          [wstlsd PID ...]@HostName[Date Time] cptls_params::SelectCipherSuites: Disallowing RC4 ciphersuite: TLS_RSA_WITH
          _RC4_128_SHA - 0x5
          [wstlsd PID ...]@HostName[Date Time] cptls_params::SelectCipherSuites: Disallowing RC4 ciphersuite: TLS_RSA_WITH
          _RC4_128_MD5 - 0x4


      • Show / Hide instructions for VSX Gateway

        Note: In VSX cluster environment, this procedure must be performed on all members of the VSX cluster. If you create a new Virtual System, then this procedure must be repeated for the new Virtual System.

        1. Connect to command line.

        2. Log in to Expert mode.

        3. Add the new required parameter with value "1" to Check Point Registry in the context of each Virtual System:

          1. Switch to the context of Virtual System:

            [Expert@HostName:0]# vsenv <VSID>
          2. Add the new required parameter with value "1" to Check Point Registry:

            [Expert@HostName:<VSID>]# ckp_regedit -a SOFTWARE/CheckPoint/FW1 Get_Disable_RC4 1
        4. [Optional] To verify, start the debug of WSTLSD processes per sk105559.

        5. In SmartDashboard, install policy on this VSX Gateway / VSX cluster.

          Alternatively, issue a command on VSX Gateway to fetch the policy from its Security Management Server / Main Domain Management Server:
          [Expert@HostName:0]# vsenv 0
          [Expert@HostName:0]# fw fetch <IP_Address_of_Main_Security_Management_Server>
        6. In SmartDashboard, install policy on each Virtual System.

          Alternatively, issue a command on VSX Gateway to fetch the policy from the corresponding Security Management Server / Target Domain Management Server:
          [Expert@HostName:0]# vsenv <VSID>
          [Expert@HostName:<VSID>]# fw fetch <IP_Address_of_Target_Security_Management_Server>
        7. Stop the debug of WSTLSD processes per sk105559.

        8. Debug of WSTLSD processes during policy installation should show:

          [wstlsd PID ...]@HostName[Date Time] cptls_params::SelectCipherSuites: Disallowing RC4 ciphersuite: TLS_RSA_WITH
          _RC4_128_SHA - 0x5
          [wstlsd PID ...]@HostName[Date Time] cptls_params::SelectCipherSuites: Disallowing RC4 ciphersuite: TLS_RSA_WITH
          _RC4_128_MD5 - 0x4
    R77.20
    on main train
    Security Gateway
    1. Install the required hotfix on Security Gateway / Cluster members.

      Important Note about upgrade to R77.30: Upgrade from R77.20 with this hotfix to R77.30 will be aborted due to a fix conflict as this hotfix is not included in Check Point R77.30. Follow the instructions in sk107233.

      The required fix is already included in:

      Hotfix installation instructions:

      • Hotfix installation for Gaia OS using CPUSE
        • Online installation

          • In Gaia Portal:

            1. Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) pane - click on Status and Actions.
            2. Select the hotfix package R77.20 Hotfix for sk106478 (Check Point Response to CVE-2015-2808 (Bar Mitzvah)) - click on Install Update button on the toolbar.
            3. Reboot is required.
            4. Follow these instructions to disable RC4 cipher suites on the machine.
          • In Gaia Clish:

            1. Connect to command line on Gaia OS.
            2. Log in to Clish.
            3. Acquire the lock over Gaia configuration database:
              HostName:0> lock database override
            4. Show the packages that are available for download:
              Note: Refer to the top section "Hotfixes" - refer to "R77.20 Hotfix for sk106478 ..."
              HostName:0> show installer packages available-for-download
            5. Verify that this package can be installed without conflicts:
              HostName:0> installer verify <Package_Number>
            6. Download the package from Check Point cloud:
              HostName:0> installer download <Package_Number>
            7. Install the downloaded package:
              HostName:0> installer install <Package_Number>
              Note: The progress (in per cent) will be displayed in Clish.
            8. Reboot is required.
            9. Follow these instructions to disable RC4 cipher suites on the machine.
        • Offline installation

          Version Gaia - CPUSE
          Offline
          R77.20 (TGZ)

          Installation instructions:

          • In Gaia Portal:

            1. Download the Gaia CPUSE Offline package from the table above.
            2. Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) pane - click on Status and Actions.
            3. On the toolbar, click on the More button - select Import Package - browse for the CPUSE Offline package (TGZ file) - click on Upload.
            4. Select the hotfix package R77.20 Hotfix for sk106478 (Check Point Response to CVE-2015-2808 (Bar Mitzvah)) - click on Install Update button on the toolbar.
            5. Reboot is required.
            6. Follow these instructions to disable RC4 cipher suites on the machine.
          • In Gaia Clish:

            1. Install the latest build of CPUSE Agent from sk92449.
            2. Download the Gaia CPUSE Offline package from the table above.
            3. Transfer the downloaded Gaia CPUSE Offline package to the target Gaia machine (into some directory, e.g., /some_path_to_jumbo/).
            4. Connect to command line on target Gaia OS.
            5. Log in to Clish.
            6. Acquire the lock over Gaia configuration database:
              HostName:0> lock database override
            7. Import the package from the hard disk:
              Note: When import completes, this package is deleted from the original location.
              HostName:0> installer import local <Full_Path>/Check_Point_Hotfix_R77.20_sk106478.tgz
            8. Show the imported packages:
              Note: Refer to the top section "Hotfixes" - refer to "R77.20 Hotfix for sk106478 ..."
              HostName:0> show installer packages imported
            9. Verify that this package can be installed without conflicts:
              HostName:0> installer verify <Package_Number>
            10. Install the imported package:
              HostName:0> installer install <Package_Number>
            11. Reboot is required.
            12. Follow these instructions to disable RC4 cipher suites on the machine.

        Notes:

        • For detailed installation instructions, refer to sk92449: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE".
        • Make sure to take a snapshot of your Check Point machine before installing this hotfix.
        • Hotfix has to be installed on all Check Point machines running R77.20 Gaia OS.
        • In cluster environment, this procedure must be performed on all members of the cluster.
        • In Management HA environment, this procedure must be performed on both Management Servers.


      • Hotfix installation for Gaia OS using Legacy CLI, SecurePlatform OS, and Linux OS
        Version Gaia - Legacy CLI,
        SecurePlatform,
        Linux
        R77.20 (TGZ)

        1. Download the hotfix package from the table above, transfer the hotfix package to the machine and unpack it:
          [Expert@HostName]# tar -zxvf Check_Point_Hotfix_R77.20_Linux_sk106478.tgz
        2. Install the hotfix:
          [Expert@HostName]# ./UnixInstallScript
          Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
        3. Reboot is required.
        4. Follow these instructions to disable RC4 cipher suites on the machine.

        Notes:

        • On Gaia OS and SecurePlatform OS: Make sure to take a snapshot of your Check Point machine before installing this hotfix.
        • Hotfix has to be installed on all Check Point machines running R77.20 on SecurePlatform OS / Linux OS.
        • In cluster environment, this procedure must be performed on all members of the cluster.
        • In Management HA environment, this procedure must be performed on both Management Servers.


      • Hotfix installation for IPSO OS
        Version IPSO
        R77.20 (TGZ)

        1. Download the hotfix package from the table above, transfer the hotfix package to the machine and unpack it:
          [admin]# tar -zxvf Check_Point_Hotfix_R77.20_IPSO_sk106478.tgz
        2. Install the hotfix:
          [admin]# ./UnixInstallScript
          Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
        3. Reboot is required.
        4. Follow these instructions to disable RC4 cipher suites on the machine.

        Notes:

        • Hotfix has to be installed on all Check Point machines running R77.20 on IPSO OS.
        • In cluster environment, this procedure must be performed on all members of the cluster.
        • In Management HA environment, this procedure must be performed on both Management Servers.


      • Hotfix installation for Windows OS
        Version Windows
        R77.20 (TGZ)

        1. Download the hotfix package from the table above, transfer the hotfix package to the machine.
        2. Use archive program (e.g., WinZIP, WinRAR, 7-Zip, IZArc, etc.) to unpack Check_Point_Hotfix_R77.20_Win_sk106478.tgz.
        3. Go into hotfixes folder.
        4. Go into fw1_wrapper_R77_20 folder.
        5. Use archive program (e.g., WinZIP, WinRAR, 7-Zip, IZArc, etc.) to unpack fw1_wrapper_R77_20_W.tgz.
        6. Go into Disk_Images folder.
        7. Go into Disk1 folder.
        8. Install the hotfix: Right-click on the setup.exe - click on Run as administrator
          Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
        9. Reboot is required.
        10. Follow these instructions to disable RC4 cipher suites on the machine.

        Notes:

        • Hotfix has to be installed on all Check Point machines running R77.20 on Windows OS.
        • In cluster environment, this procedure must be performed on all members of the cluster.
        • In Management HA environment, this procedure must be performed on both Management Servers.


    2. Disable RC4 cipher suites (after installing the required hotfix provided above).

      • Show / Hide instructions for Security Management Server / Multi-Domain Security Management Server

        Note: In Management HA environment, this procedure must be performed on both Management Servers.

        1. Connect to command line.

        2. Log in to Expert mode.

        3. Add the new required parameter with value "1" to Check Point Registry:

          • On Gaia OS R77.20 with hotfix 'gollum_hf_base_385':

            [Expert@HostName]# ckp_regedit -a SOFTWARE/CheckPoint/FW1 Get_Disable_RC4 1

          • On Gaia OS / SecurePlatform OS / IPSO OS versions R77.20 and below:

            [Expert@HostName]# ckp_regedit -a SOFTWARE/CheckPoint/FW1 CPTLS_Disable_RC4 1

          • On Windows OS:

            C:\> ckp_regedit -a SOFTWARE\CheckPoint\FW1 CPTLS_Disable_RC4 1


      • Show / Hide instructions for Security Gateway

        Note: In cluster environment, this procedure must be performed on all members of the cluster.

        1. Connect to command line.

        2. Log in to Expert mode.

        3. Add the new required parameter with value "1" to Check Point Registry:

          • On Gaia OS R77.20 with hotfix 'gollum_hf_base_385':

            [Expert@HostName]# ckp_regedit -a SOFTWARE/CheckPoint/FW1 Get_Disable_RC4 1

          • On Gaia OS / SecurePlatform OS / IPSO OS versions R77.20 and below:

            [Expert@HostName]# ckp_regedit -a SOFTWARE/CheckPoint/FW1 CPTLS_Disable_RC4 1

          • On Windows OS:

            C:\> ckp_regedit -a SOFTWARE\CheckPoint\FW1 CPTLS_Disable_RC4 1
        4. [Optional] To verify, start the debug of WSTLSD processes per sk105559.

        5. In SmartDashboard, install policy on this Security Gateway / Cluster.

          Alternatively, issue a command on Security Gateway to fetch the policy from its Security Management Server / Domain Management Server:
          [Expert@HostName:0]# fw fetch <IP_Address_of_Security_Management_Server>
        6. Stop the debug of WSTLSD processes per sk105559.

        7. Debug of WSTLSD processes during policy installation should show:

          [wstlsd PID ...]@HostName[Date Time] cptls_params::SelectCipherSuites: Disallowing RC4 ciphersuite: TLS_RSA_WITH
          _RC4_128_SHA - 0x5
          [wstlsd PID ...]@HostName[Date Time] cptls_params::SelectCipherSuites: Disallowing RC4 ciphersuite: TLS_RSA_WITH
          _RC4_128_MD5 - 0x4


      • Show / Hide instructions for VSX Gateway

        Note: In VSX cluster environment, this procedure must be performed on all members of the VSX cluster. If you create a new Virtual System, then this procedure must be repeated for the new Virtual System.

        1. Connect to command line.

        2. Log in to Expert mode.

        3. Add the new required parameter with value "1" to Check Point Registry in the context of each Virtual System:

          1. Switch to the context of Virtual System:

            [Expert@HostName:0]# vsenv <VSID>
          2. Add the new required parameter with value "1" to Check Point Registry:

            • On Gaia OS R77.20 with hotfix 'gollum_hf_base_385':

              [Expert@HostName:<VSID>]# ckp_regedit -a SOFTWARE/CheckPoint/FW1 Get_Disable_RC4 1

            • On Gaia OS versions R77.20 and below:

              [Expert@HostName:<VSID>]# ckp_regedit -a SOFTWARE/CheckPoint/FW1 CPTLS_Disable_RC4 1

        4. [Optional] To verify, start the debug of WSTLSD processes per sk105559.

        5. In SmartDashboard, install policy on this VSX Gateway / VSX cluster.

          Alternatively, issue a command on VSX Gateway to fetch the policy from its Security Management Server / Main Domain Management Server:
          [Expert@HostName:0]# vsenv 0
          [Expert@HostName:0]# fw fetch <IP_Address_of_Main_Security_Management_Server>
        6. In SmartDashboard, install policy on each Virtual System.

          Alternatively, issue a command on VSX Gateway to fetch the policy from the corresponding Security Management Server / Target Domain Management Server:
          [Expert@HostName:0]# vsenv <VSID>
          [Expert@HostName:<VSID>]# fw fetch <IP_Address_of_Target_Security_Management_Server>
        7. Stop the debug of WSTLSD processes per sk105559.

        8. Debug of WSTLSD processes during policy installation should show:

          [wstlsd PID ...]@HostName[Date Time] cptls_params::SelectCipherSuites: Disallowing RC4 ciphersuite: TLS_RSA_WITH
          _RC4_128_SHA - 0x5
          [wstlsd PID ...]@HostName[Date Time] cptls_params::SelectCipherSuites: Disallowing RC4 ciphersuite: TLS_RSA_WITH
          _RC4_128_MD5 - 0x4
    R77.20
    on SMB appliances
    (600 / 700 / 1100 /
    1200R / 1400)

    This applies to all Small Business & Branch Office appliances running Gaia Embedded OS R77.20 and above - 600 / 700 / 1100 / 1200R / 1400.

    The required fix is already included since:

    R77.10
    and lower
    on main train
    Security Gateway

    The required fix is already included in:

    For other supported versions, Contact Check Point Support to get a Hotfix.
    A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
    For faster resolution and verification, please collect CPinfo files from the Security Management Server and Security Gateways involved in the case.



  • Disabling RC4-including cipher suites for IPSO Voyager with SSL enabled

    Show / Hide instructions

    Note: This fix is already integrated into IPSO 6.2 MR5 (Build GA100) image. For lower IPSO 6.2 versions, improved mages with disabled RC4-including cipher suites are available. If you are not able to install these images, then apply the workaround described below.

    • Improved IPSO images

      This procedure applies to both Disk-based and Flash-based IP appliances.

      1. Download the relevant IPSO image to your Windows computer. Unpack the ZIP file. Copy the IPSO image to an FTP server or to the appliance to be upgraded.

        IPSO Build Link
        IPSO 6.2 MR4a2 (ZIP)
        MR3a3 (ZIP)
        MR2a (ZIP)
      2. Login as admin, and make sure that you are in /var/emhome/admin directory (run 'pwd' command).

      3. Run newimage -ik
        Note: If you add a new version of IPSO by using the newimage command and the "-k" (keep) option, your previous packages are active with the new IPSO version.

      4. Specify where the IPSO image is located (ipso-6.2.tgz), selecting one of the following options:
        Install from FTP server with user and password (You will be prompted for FTP server location and credentials)
        or
        Install from local filesystem (You will be prompted for pathname to the packages, or enter "." for the current directory).

      5. Enter the name of the IPSO package (ipso-6.2.tgz), and press 'Enter'.

      6. After the upgrade process completes, choose the image to run:
        Choose 'Newly Installed' image.

      7. Reboot the machine by typing reboot at the prompt.

      8. Verify the current image.

        Type uname -a.

        The output will contain the following strings:
        IPSO 6.2 MR4a2: 6.2-GAMR4A207
        IPSO 6.2 MR3a3: 6.2-GAMR3A306
        IPSO 6.2 MR2a: 6.2-GAMR2A06


    • Workaround

      Note: If you installed an improved IPSO image, then you do not need to apply this workaround.

      This procedure applies to both Disk-based and Flash-based IP appliances. This workaround needs to be applied after enabling SSL.

      1. Connect to command line on the involved machine.

      2. Open Clish:

        [root@HostName ~]# clish
      3. Check the current SSL setting:

        IPSO:N> show voyager ssl-level

        • If this command returns "VoyagerSSLLevel 0", then SSL is not used and IPSO Voyager is not vulnerable.

        • If this command returns any value other than "0" (zero), then proceed to the next step.

      4. Disable the weak "RC4" cipher:

        Note: This will also disable the weak "export" ciphers.

        IPSO:N> set voyager ssl-level 168
        IPSO:N> save config
      5. Verify your configuration:

        IPSO:N> show voyager ssl-level

        The output should show "VoyagerSSLLevel 168"

 

Related solutions:

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment