Support Center > Search Results > SecureKnowledge Details
Check Point response to CVE-2015-2808 (Bar Mitzvah) and OpenSSL CVE-2015-1789
Solution

Table of Contents:

  • Introduction
  • Installation instructions
  • Uninstall instructions
  • Related solutions

 

Click Here to Show the Entire Article

 

Introduction

This article provides a unified hotfix package for R77.30 and lower versions
(the relevant fixes are already integrated into R80.10):

This hotfix package should be installed on all machines R77.30 and lower in the environment:

  • Security Gateway
  • Cluster
  • VSX
  • Security Management Server
  • Multi-Domain Security Management Server
  • Standalone machine (Gateway + Management)
  • Log Server
  • SmartEvent Server
  • SmartReporter Server

 

Installation instructions

This problem was fixed. The fix is included in:

Hotfix for R77.30 GA is provided in this article.

For other supported versions, contact Check Point Support.
A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
For faster resolution and verification, please collect CPinfo files from the Security Management Server and Security Gateways involved in the case.

  • Instructions for Gaia OS using CPUSE (Check Point Update Service Engine)

    • Online installation

      1. Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) pane - click on Status and Actions.
      2. Select the hotfix package <RXX> Hotfix for sk106499 (Check Point response to CVE-2015-2808 (Bar Mitzvah) and CVE-2015-1789 (OpenSSL Security Advisory 11 June 2015)) - click on Install Update button on the toolbar.
      3. Reboot is required.
      4. Refer to sk106478 - Check Point response to CVE-2015-2808 (Bar Mitzvah) for instructions to disable RC4-including cipher suites in Check Point Portals.
    • Offline installation

      OS R77.30
      Gaia - CPUSE

    Notes:

    • For detailed installation instructions, refer to sk92449: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE".
    • Make sure to take a snapshot of your Check Point machine before installing this hotfix.
    • Hotfix has to be installed on all Check Point machines running on Gaia OS.
    • In cluster environment, this procedure must be performed on all members of the cluster.
    • In Management HA environment, this procedure must be performed on both Management Servers.


  • Instructions for Gaia OS (manual installation in Command Line)

    OS R77.30
    Gaia - CLI

    Procedure:

    1. Download the relevant hotfix package from the table above, transfer the hotfix package to the machine and unpack it:
      [Expert@HostName]# tar -zxvf Check_Point_Hotfix_<VERSION>_Gaia_sk106499.tgz
    2. Install the hotfix:
      [Expert@HostName]# ./UnixInstallScript
      Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
    3. Reboot is required.
    4. Refer to sk106478 - Check Point response to CVE-2015-2808 (Bar Mitzvah) for instructions to disable RC4-including cipher suites in Check Point Portals.

    Notes:

    • Make sure to take a snapshot of your Check Point machine before installing this hotfix.
    • Hotfix has to be installed on all Check Point machines running on Gaia OS.
    • In cluster environment, this procedure must be performed on all members of the cluster.
    • In Management HA environment, this procedure must be performed on both Management Servers.


  • Instructions for SecurePlatform OS and Linux OS

    OS R77.30
    SecurePlatform
    and Linux - CLI

    Procedure:

    1. Download the relevant hotfix package from the table above, transfer the hotfix package to the machine and unpack it:
      [Expert@HostName]# tar -zxvf Check_Point_Hotfix_<VERSION>_Linux_sk106499.tgz
    2. Install the hotfix:
      [Expert@HostName]# ./UnixInstallScript
      Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
    3. Reboot is required.
    4. Refer to sk106478 - Check Point response to CVE-2015-2808 (Bar Mitzvah) for instructions to disable RC4-including cipher suites in Check Point Portals.

    Notes:

    • Make sure to take a snapshot of your Check Point machine before installing this hotfix (on SecurePlatform OS).
    • Hotfix has to be installed on all Check Point machines running on SecurePlatform OS / Linux OS.
    • In cluster environment, this procedure must be performed on all members of the cluster.
    • In Management HA environment, this procedure must be performed on both Management Servers.


  • Instructions for IPSO OS

    OS R77.30
    IPSO - CLI

    Procedure:

    1. Download the relevant hotfix package from the table above, transfer the hotfix package to the machine and unpack it:
      [admin]# tar -zxvf Check_Point_Hotfix_<VERSION>_IPSO_sk106499.tgz
    2. Install the hotfix:
      [admin]# ./UnixInstallScript
      Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
    3. Reboot is required.
    4. Refer to sk106478 - Check Point response to CVE-2015-2808 (Bar Mitzvah) for instructions to disable RC4-including cipher suites in Check Point Portals.

    Notes:

    • Hotfix has to be installed on all Check Point machines running on IPSO OS.
    • In cluster environment, this procedure must be performed on all members of the cluster.
    • In Management HA environment, this procedure must be performed on both Management Servers.


  • Instructions for Windows OS

    OS R77.30
    Windows - CLI

    Procedure:

    1. Download the relevant hotfix package from the table above, transfer the hotfix package to the machine and unpack it using an archive program (e.g., WinZIP, WinRAR, 7-zip, etc.).
    2. Install the hotfix: Right-click on the Setup.exe - click on Run as administrator
      Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
    3. Reboot is required.
    4. Refer to sk106478 - Check Point response to CVE-2015-2808 (Bar Mitzvah) for instructions to disable RC4-including cipher suites in Check Point Portals.

    Notes:

    • Hotfix has to be installed on all Check Point machines running on Windows OS.
    • In cluster environment, this procedure must be performed on all members of the cluster.
    • In Management HA environment, this procedure must be performed on both Management Servers.

 

Uninstall instructions

  • On Gaia OS using CPUSE (Check Point Update Service Engine)

    1. Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) pane - click on Status and Actions.
    2. Select Installed in the menu near the Help icon.
    3. Select the hotfix package <VERSION> Hotfix for sk106499 (Check Point response to CVE-2015-2808 (Bar Mitzvah) and CVE-2015-1789 (OpenSSL Security Advisory 11 June 2015)) - click on More button on the toolbar - click on Uninstall.
      Example:
    4. Reboot is required.
    5. Refer to sk106478 - Check Point response to CVE-2015-2808 (Bar Mitzvah) for instructions to disable RC4-including cipher suites in Check Point Portals.

    Notes:



  • On Gaia OS, SecurePlatform OS, Linux OS and IPSO OS (manual uninstall in Command Line)

    1. Download and unpack the hotfix package (refer to the "Installation instructions" (manual installation in Command Line) above).
    2. Run the installation script with "-u" flag:
      # ./UnixInstallScript -u
    3. Reboot is required.
    4. Refer to sk106478 - Check Point response to CVE-2015-2808 (Bar Mitzvah) for instructions to disable RC4-including cipher suites in Check Point Portals.

    Notes:

    • In cluster environment, this procedure must be performed on all members of the cluster.
    • In Management HA environment, this procedure must be performed on both Management Servers.


  • Windows OS

    1. Go to Control Panel:
      • On Windows 2000 / 2003 - click on Add/Remove Programs
      • On Windows 2008 / Vista / 7 - click on Programs and Features
    2. Select the hotfix Check Point R77.30 Hotfix R77_30_HF3SW - click on Uninstall button.
      Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
    3. Reboot is required.

    Alternatively, run the installation program with '-u' flag:

    1. Open the elevated Command Prompt:
      Start - Programs - Accessories - right-click on 'Command Prompt' icon - select 'Run as administrator'.
    2. Navigate to the folder where you unpacked the hotfix package:
      DISK:\> cd "path_to_unpacked_hotfix_package"
    3. Run the installation program with '-u' flag:
      DISK:\path_to_unpacked_hotfix_package\> Setup.exe -u
    4. Reboot is required.

    Notes:

    • In cluster environment, this procedure must be performed on all members of the cluster.
    • In Management HA environment, this procedure must be performed on both Management Servers.

 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment