Check Point cluster stability improvement to prevent incorrect change of cluster members state to "Ready"

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk108360
Technical Level
Product	ClusterXL, Cluster - 3rd party
Version	R75, R76, R77, R77.10, R77.20, R77.30
OS	Gaia, SecurePlatform 2.6, IPSO 6.2, Windows
Platform / Model	All
Date Created	07-Dec-2015
Last Modified	21-May-2017

Symptoms

It was demonstrated that by forging CCP packets, it is possible to "confuse" cluster members about the state of peer members and cause denial of service (cluster members could be forced to incorrectly change their state to "Ready").

Credit: Check Point thanks Christian Port for responsible disclosure of this issue.

Cause

This attack is possible if a malicious user gains Layer 2 access to cluster non-trusted (non-sync) interfaces (whose "Network Objective" in cluster object topology is not "Sync").

Solution

Note: To view this solution you need to Sign In .