Support Center > Search Results > SecureKnowledge Details
Check Point response to CVE-2016-2183 (Sweet32)
Symptoms
  • Vulnerability scan may show that Check Point Products are vulnerable to CVE-2016-2183 - TLS 3DES Cipher Suites are supported.
Cause

The 3DES algorithm, as used in the TLS and IPsec protocols, has a relatively small block size, which makes it easier for an attacker to guess repeated parts of encrypted messages (for example, session cookies).

The attack requires a very large amount of repetitive data to be sent through one connection in order to exploit this vulnerability. Such amount of data is not reached in regular TLS usages. Therefore, such a scenario is expected to be achieved by a specific exploit which will be integrated to the system by the attacker.


Solution

Background

This attack (CVE-2016-2183), called "Sweet32", allows an attacker to extract the plaintext of the repetitive content of a 3DES encryption stream.

As 3DES block size is only 64-bit, it is possible to get a collision in the encrypted traffic, in case enough repetitive data was sent through the connection which might allow an attacker to guess the cleartext.

It was found that there are web servers that will allow such amount of traffic to be passed on the same connection without closing it.

Full report can be found at https://sweet32.info/.

 

Statement

Check Point products are not vulnerable to the "Sweet32" attack since 3DES cipher will not be preferred by Check Point software during a negotiation with any modern web browser.

 

Procedure

The following mitigation instructions are proposed to customers, who wish to fully disable 3DES cipher on Check Point software.

Click Here to Show all instructions

 

  • Show / Hide instructions for IPS blade

    Check Point released (on 25 Sep 2016) the IPS protection "Weak SSL 3DES Cipher Suites (CVE-2016-2183)" that detects and prevents attempts to exploit this vulnerability.

    Important Note: By default, this IPS protection is "Inactive" in all IPS profiles.

    1. In SmartDashboard, go to the IPS tab.

    2. In the left upper tree, click on the Protections.

    3. Search for the Weak SSL 3DES Cipher Suites

    4. Double-click on this IPS protection.

    5. Change the action in this IPS protection:

      • Either configure this IPS protection in a specific IPS profile:

        1. Select the relevant IPS profile

        2. At the bottom, click on the Edit... button

        3. Select the option Override IPS Policy with

        4. Select either Prevent, or Detect

        5. Click on OK

      • Or configure this IPS protection in all IPS profiles:

        1. At the bottom, click on the Change Action... button - select either Prevent on All Profiles, or Detect on All Profiles

        2. Click on OK

    6. Install the Network Security policy.

    7. When triggered, this IPS protection's log will contain the following information:

      • Attack Name: SSL Enforcement Violation
      • Attack Information: Weak SSL 3DES Cipher Suites


  • Show / Hide instructions for HTTPS Inspection, Mobile Access Portal, Identity Awareness Portal, ICA Portal, SmartManagement Portal, SecurePlatform WebUI

    This problem was fixed. The fix is included in:

    It is possible to control the use of 3DES on Security Gateway by the global attribute DISABLE_3DES:

    • To disable the use of 3DES:

      Note: This change will survive reboot.

      1. Connect to the command line on the involved Check Point Security Gateway / each cluster member.

      2. Log in to the Expert mode.

      3. Backup the Check Point Registry:

        [Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_ORIGINAL
      4. Add the global attribute DISABLE_3DES to the Registry and set its value to 1 (one):

        [Expert@HostName:0]# ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 DISABLE_3DES 1
      5. Verify that the global attribute DISABLE_3DES was added to the Registry with value "1":

        • Either with "ckp_regedit" command:

          [Expert@HostName:0]# ckp_regedit -p SOFTWARE\\CheckPoint\\FW1 | grep --color DISABLE_3DES

          Output should be:
          SOFTWARE/CheckPoint/FW1 : { CurrentVersion=[s]6.0 DISABLE_3DES=[s]1 }
        • Or with "grep" command:

          [Expert@HostName:0]# grep DISABLE_3DES $CPDIR/registry/HKLM_registry.data

        • Output should be:
          :DISABLE_3DES (1)
      6. Restart Check Point services:

        Important Note: In cluster, this will cause fail-over.

        [Expert@HostName:0]# cpstop ; cpstart
    • To enable the use of 3DES (default configuration):

      Note: This change will survive reboot.

      1. Connect to the command line on the involved Check Point Security Gateway / each cluster member.

      2. Log in to the Expert mode.

      3. Backup the Check Point Registry:

        [Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_ORIGINAL
      4. Remove the global attribute DISABLE_3DES from the Registry:

        [Expert@HostName:0]# ckp_regedit -d SOFTWARE\\CheckPoint\\FW1 DISABLE_3DES
      5. Verify that the global attribute DISABLE_3DES was removed from the Registry:

        • Either with "ckp_regedit" command:

          [Expert@HostName:0]# ckp_regedit -p SOFTWARE\\CheckPoint\\FW1 DISABLE_3DES

          Output should be empty
        • Or with "grep" command:

          [Expert@HostName:0]# grep DISABLE_3DES $CPDIR/registry/HKLM_registry.data

        • Output should be empty
      6. Restart Check Point services:

        Important Note: In cluster, this will cause fail-over.

        [Expert@HostName:0]# cpstop ; cpstart

    Note: You can also use ThreatEmulation port 18194 as a solution to disable 3DES for a local ThreatEmulation appliance (Cloud Connection and SandBlast Extension for browsers). 

    Related solutions:



  • Show / Hide instructions for Mobile Access curl

    It is possible to control the use of 3DES on Security Gateway by the global attribute DISABLE_3DES:

    • To disable the use of 3DES:

      Note: This change will survive reboot.

      1. Connect to the command line on the involved Check Point Security Gateway / each cluster member.

      2. Log in to the Expert mode.

      3. Backup the Check Point Registry:

        [Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_ORIGINAL
      4. Add the global attribute DISABLE_3DES to the Registry and set its value to 1 (one):

        [Expert@HostName:0]# ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 DISABLE_3DES 1
      5. Verify that the global attribute DISABLE_3DES was added to the Registry with value "1":

        • Either with "ckp_regedit" command:

          [Expert@HostName:0]# ckp_regedit -p SOFTWARE\\CheckPoint\\FW1 | grep --color DISABLE_3DES

          Output should be:
          SOFTWARE/CheckPoint/FW1 : { CurrentVersion=[s]6.0 DISABLE_3DES=[s]1 }
        • Or with "grep" command:

          [Expert@HostName:0]# grep DISABLE_3DES $CPDIR/registry/HKLM_registry.data

        • Output should be:
          :DISABLE_3DES (1)
      6. Restart Check Point services:

        Important Note: In cluster, this will cause fail-over.

        [Expert@HostName:0]# cpstop ; cpstart
    • To enable the use of 3DES (default configuration):

      Note: This change will survive reboot.

      1. Connect to the command line on the involved Check Point Security Gateway / each cluster member.

      2. Log in to the Expert mode.

      3. Backup the Check Point Registry:

        [Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_ORIGINAL
      4. Remove the global attribute DISABLE_3DES from the Registry:

        [Expert@HostName:0]# ckp_regedit -d SOFTWARE\\CheckPoint\\FW1 DISABLE_3DES
      5. Verify that the global attribute DISABLE_3DES was removed from the Registry:

        • Either with "ckp_regedit" command:

          [Expert@HostName:0]# ckp_regedit -p SOFTWARE\\CheckPoint\\FW1 DISABLE_3DES

          Output should be empty
        • Or with "grep" command:

          [Expert@HostName:0]# grep DISABLE_3DES $CPDIR/registry/HKLM_registry.data

        • Output should be empty
      6. Restart Check Point services:

        Important Note: In cluster, this will cause fail-over.

        [Expert@HostName:0]# cpstop ; cpstart


  • Show / Hide instructions for VPN Site-to-Site community

    Make sure that 3DES is not chosen in the VPN Site-to-Site community properties:

    In R77.X SmartDashboard: In R80 SmartConsole:
    1. Go to IPSec VPN tab
    2. In the left tree, click on Communities
    3. Select the relevant community - click on Edit... button
    4. Go to Encryption pane
    5. In Encryption Suite section:
      • If "VPN A" is selected, then select any other suite
      • If "Custom" is selected, then click on Custom Encryption... -
        verify that "3DES" is not selected in any field
      If any setting was changed, then click on OK and install policy.
    1. Go to Objects menu - click on Object Explorer
    2. In the left tree, click on VPN Communities
    3. Select the relevant community - click on pencil button
    4. Go to Encryption pane
    5. In Encryption Suite section:
      • If "Use this encryption suite" is selected,
        then verify that "VPN A" is not selected
      • If "Custom encryption suite" is selected,
        then verify that "3DES" is not selected in any field
      If any setting was changed, then click on OK and install policy.


  • Show / Hide instructions for VPN Remote Access community

    Make sure that 3DES is not chosen in the Remote Access global properties:

    1. Go to Global Properties:

      In R77.X SmartDashboard: In R80.X SmartConsole:
      1. Go to Policy menu
      2. Click on Global Properties...
      1. Go to Application menu
      2. Click on Global properties...
    2. Expand Remote Access

    3. Click on VPN - Authentication and Encryption

    4. In Encryption algorithms section, click on Edit... button

    5. On both Phase 1 and Phase 2 tabs, verify that "3DES" is not selected in any field

      If any setting was changed, then click on OK and install policy.

     

    Related solutions:



  • Show / Hide instructions for Gaia Embedded

    This problem was fixed. The fix is included in:

    It is possible to control the use of 3DES on Security Gateway by the global attribute DISABLE_3DES:

    • To disable the use of 3DES:

      Note: This change will survive reboot.

      1. Connect to the command line on the involved appliance.

      2. Log in to the Expert mode.

      3. Backup the Check Point Registry:

        [Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_ORIGINAL
      4. Add the global attribute DISABLE_3DES to the Registry and set its value to 1 (one):

        [Expert@HostName:0]# ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 DISABLE_3DES 1
      5. Verify that the global attribute DISABLE_3DES was added to the Registry with value "1":

        • Either with "ckp_regedit" command:

          [Expert@HostName:0]# ckp_regedit -p SOFTWARE\\CheckPoint\\FW1 | grep --color DISABLE_3DES

          Output should be:
          SOFTWARE/CheckPoint/FW1 : { CurrentVersion=[s]6.0 DISABLE_3DES=[s]1 }
        • Or with "grep" command:

          [Expert@HostName:0]# grep DISABLE_3DES $CPDIR/registry/HKLM_registry.data

        • Output should be:
          :DISABLE_3DES (1)
      6. Restart Check Point services:

        Important Note: In cluster, this will cause fail-over.

        [Expert@HostName:0]# cpstop ; cpstart
    • To enable the use of 3DES (default configuration):

      Note: This change will survive reboot.

      1. Connect to the command line on the involved Check Point Security Gateway / each cluster member.

      2. Log in to the Expert mode.

      3. Backup the Check Point Registry:

        [Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_ORIGINAL
      4. Remove the global attribute DISABLE_3DES from the Registry:

        [Expert@HostName:0]# ckp_regedit -d SOFTWARE\\CheckPoint\\FW1 DISABLE_3DES
      5. Verify that the global attribute DISABLE_3DES was removed from the Registry:

        • Either with "ckp_regedit" command:

          [Expert@HostName:0]# ckp_regedit -p SOFTWARE\\CheckPoint\\FW1 DISABLE_3DES

          Output should be empty
        • Or with "grep" command:

          [Expert@HostName:0]# grep DISABLE_3DES $CPDIR/registry/HKLM_registry.data

        • Output should be empty
      6. Restart Check Point services:

        Important Note: In cluster, this will cause fail-over.

        [Expert@HostName:0]# cpstop ; cpstart


  • Show / Hide instructions for IPSO Voyager with SSL enabled
    • Follow these steps to change the current configuration:

      1. Save the current IPSO OS configuration (either in Network Voyager, or in Clish).

      2. Connect to the command line on IP Series appliance.

      3. Change the file system to "read-write" mode:

        HostName[admin]# mount -u /
      4. Backup the current configuration template:

        HostName[admin]# cp /web/conf/httpd.conf.templ /web/conf/httpd.conf.templ_BKP
      5. Edit the current configuration template in Vi editor:

        HostName[admin]# vi /web/conf/httpd.conf.templ
      6. Search for one or more lines that each begin with "SSLCipherSuite".

        • On IPSO-6.2-MR5 and above:

          There will be one such line.
          One line that begins with "#SSLCipherSuite" may be safely ignored.
        • On IPSO-6.2-MR4 and earlier:

          There will be four such lines.
      7. Replace each line found in Step 6 with the following (this is a single line):

        SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
      8. Save the changes and exit from Vi editor.

      9. Change the file system back to "read-only" mode:

        HostName[admin]# mount -u -r /
      10. Update the current configuration of HTTPD daemon based on the modified configuration template:

        HostName[admin]# template_xlate ':' /web/conf/httpd.conf.templ /var/etc/httpd.conf < /config/active
      11. Restart the HTTPD daemon:

        HostName[admin]# tellpm process:httpd
        HostName[admin]# tellpm process:httpd t
    • Follow these steps to verify that you have applied the changes correctly:

      1. Wait at least one minute after applying the above changes.

      2. Try to connect to the Network Voyager using a web browser.

        Note: If connection to the Network Voyager fails, it can mean the above changes was not applied correctly. Follow the next procedure (below) to revert the above changes.
      3. To verify that triple-DES is no longer used, issue the following command:

        HostName[admin]# openssl s_client -connect localhost:443 -cipher 3DES

        It should fail, and exit immediately, with an error like the following:
        674896232:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/work/jdilatus/wa/ipso6_main/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:769:

        If it does not fail, then terminate it with CTRL+C and follow the next procedure (below) to revert the above changes.

    • Follow these steps to revert the above changes (before applying them again):

      1. Connect to the command line.

      2. Change the file system to "read-write" mode:

        HostName[admin]# mount -u /
      3. Restore the backup file (which you saved earlier):

        HostName[admin]# cp /web/conf/httpd.conf.templ_BKP /web/conf/httpd.conf.templ
      4. Change the file system back to "read-only" mode:

        HostName[admin]# mount -u -r /
      5. Update the current configuration of HTTPD daemon based on the modified configuration template:

        HostName[admin]# template_xlate ':' /web/conf/httpd.conf.templ /var/etc/httpd.conf < /config/active
      6. Restart the HTTPD daemon:

        HostName[admin]# tellpm process:httpd
        HostName[admin]# tellpm process:httpd t


  • Show / Hide instructions for Endpoint Security Server
    1. Connect to the command line.

    2. Log in to the Expert mode.

    3. Backup the current $UEPMDIR/apache22/conf/ssl.conf file:

      [Expert@HostName:0]# cp -v $UEPMDIR/apache22/conf/ssl.conf $UEPMDIR/apache22/conf/ssl.conf_ORIGINAL
    4. Edit the current $UEPMDIR/apache22/conf/ssl.conf file:

      [Expert@HostName:0]# vi $UEPMDIR/apache22/conf/ssl.conf
    5. Go to the following section:

      # SSL Cipher Suite:
      # List the ciphers that the client is permitted to negotiate.
      # See the mod_ssl documentation for a complete list.
      SSLCipherSuite AES256-SHA:AES128-SHA:DES-CBC3-SHA
    6. Change the SSLCipherSuite line:

      from:

      SSLCipherSuite AES256-SHA:AES128-SHA:DES-CBC3-SHA

      to:

      SSLCipherSuite AES256-SHA:AES128-SHA
    7. Save the changes and exit from Vi editor.

    8. Reboot the machine for the changes to take effect.

Applies To:
  • 02337728 , 02346611 , 02347912 , 02372514 , 02422245 , 02339829 , 02423402 , 02351735 , 02340541 , 02378236 , 02349390 , 02347435 , 02385100 , 02527710
  • 02364390

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment