The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Check Point response to CVE-2016-2183 (Sweet32)
Technical Level
Solution ID
sk113114
Technical Level
Product
IPSec VPN, Mobile Access / SSL VPN
Version
All
Platform / Model
All
Date Created
18-Sep-2016
Last Modified
09-Aug-2020
Symptoms
Vulnerability scan may show that Check Point Products are vulnerable to CVE-2016-2183 - TLS 3DES Cipher Suites are supported.
Cause
The 3DES algorithm, as used in the TLS and IPsec protocols, has a relatively small block size, which makes it easier for an attacker to guess repeated parts of encrypted messages (for example, session cookies).
The attack requires a very large amount of repetitive data to be sent through one connection in order to exploit this vulnerability. Such amount of data is not reached in regular TLS usages. Therefore, such a scenario is expected to be achieved by a specific exploit which will be integrated to the system by the attacker.
Solution
Background
This attack (CVE-2016-2183 ), called "Sweet32", allows an attacker to extract the plaintext of the repetitive content of a 3DES encryption stream.
As 3DES block size is only 64-bit, it is possible to get a collision in the encrypted traffic, in case enough repetitive data was sent through the connection which might allow an attacker to guess the cleartext.
It was found that there are web servers that will allow such amount of traffic to be passed on the same connection without closing it.
Full report can be found at https://sweet32.info/ .
Statement
Check Point products are not vulnerable to the "Sweet32" attack since 3DES cipher will not be preferred by Check Point software during a negotiation with any modern web browser.
Procedure
The following mitigation instructions are proposed to customers, who wish to fully disable 3DES cipher on Check Point software.
Click Here to Show all instructions
Show / Hide instructions for IPS blade
Check Point released (on 25 Sep 2016) the IPS protection "Weak SSL 3DES Cipher Suites (CVE-2016-2183) " that detects and prevents attempts to exploit this vulnerability.
Important Note: By default, this IPS protection is "Inactive" in all IPS profiles.
In SmartDashboard, go to the IPS tab.
In the left upper tree, click on the Protections .
Search for the Weak SSL 3DES Cipher Suites
Double-click on this IPS protection.
Change the action in this IPS protection:
Install the Network Security policy.
When triggered, this IPS protection's log will contain the following information:
Attack Name: SSL Enforcement Violation
Attack Information: Weak SSL 3DES Cipher Suites
Show / Hide instructions for HTTPS Inspection, Identity Awareness Portal, ICA Portal, SmartManagement Portal, SecurePlatform WebUI
Check Point has adopted a new approach to resolving this issue: (3DES is now disabled, by default. If you choose to enable 3DES, use the new registry: ENABLE_3DES .) This problem was fixed. The fix is included in:
It is possible to control the use of 3DES on Security Gateway by the global attribute ENABLE_3DES :
To enable the use of 3DES:
Note: This change will survive reboot.
Connect to the command line on the involved Check Point Security Gateway / each cluster member.
Login to Expert mode.
Backup the Check Point Registry:
[Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_ORIGINAL
Add the global attribute ENABLE_3DES to the Registry and set its value to 1 (one):
[Expert@HostName:0]# ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 ENABLE_3DES 1
Verify that the global attribute ENABLE_3DES was added to the Registry with value "1":
Either with "ckp_regedit " command:
[Expert@HostName:0]# ckp_regedit -p SOFTWARE\\CheckPoint\\FW1 | grep --color ENABLE_3DES
Output should be:SOFTWARE/CheckPoint/FW1 : { CurrentVersion=[s]6.0 ENABLE_3DES =[s]1 }
Or with "grep " command:
[Expert@HostName:0]# grep ENABLE_3DES $CPDIR/registry/HKLM_registry.data
Output should be:
:ENABLE_3DES (1 )
Restart Check Point services:
Important Note: In cluster, this will cause fail-over.
[Expert@HostName:0]# cpstop ; cpstart
To disable the use of 3DES (default configuration):
Note: This change will survive reboot.
Connect to the command line on the involved Check Point Security Gateway / each cluster member.
Login to Expert mode.
Backup the Check Point Registry:
[Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_ORIGINAL
Remove the global attribute ENABLE_3DES from the Registry:
[Expert@HostName:0]# ckp_regedit -d SOFTWARE\\CheckPoint\\FW1 ENABLE_3DES
Verify that the global attribute ENABLE_3DES was removed from the Registry:
Either with "ckp_regedit " command:
[Expert@HostName:0]# ckp_regedit -p SOFTWARE\\CheckPoint\\FW1 ENABLE_3DES
Output should be empty
Or with "grep " command:
[Expert@HostName:0]# grep ENABLE_3DES $CPDIR/registry/HKLM_registry.data
Output should be empty
Restart Check Point services:
Important Note: In cluster, this will cause fail-over.
[Expert@HostName:0]# cpstop ; cpstart
Note: Check Point previously resolved this issue as follows: (3DES was enabled, by default. If you chose to disable 3DES, you would use the new registry: DISABLE_3DES .) This problem was fixed. The fix is included in:
It is possible to control the use of 3DES on Security Gateway by the global attribute DISABLE_3DES :
To disable the use of 3DES:
Note: This change will survive reboot.
Connect to the command line on the involved Check Point Security Gateway / each cluster member.
Login to Expert mode.
Backup the Check Point Registry:
[Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_ORIGINAL
Add the global attribute DISABLE_3DES to the Registry and set its value to 1 (one):
[Expert@HostName:0]# ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 DISABLE_3DES 1
Verify that the global attribute DISABLE_3DES was added to the Registry with value "1":
Either with "ckp_regedit " command:
[Expert@HostName:0]# ckp_regedit -p SOFTWARE\\CheckPoint\\FW1 | grep --color DISABLE_3DES
Output should be:SOFTWARE/CheckPoint/FW1 : { CurrentVersion=[s]6.0 DISABLE_3DES =[s]1 }
Or with "grep " command:
[Expert@HostName:0]# grep DISABLE_3DES $CPDIR/registry/HKLM_registry.data
Output should be:
:DISABLE_3DES (1 )
Restart Check Point services:
Important Note: In cluster, this will cause fail-over.
[Expert@HostName:0]# cpstop ; cpstart
To enable the use of 3DES (default configuration):
Note: This change will survive reboot.
Connect to the command line on the involved Check Point Security Gateway / each cluster member.
Login to Expert mode.
Backup the Check Point Registry:
[Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_ORIGINAL
Remove the global attribute DISABLE_3DES from the Registry:
[Expert@HostName:0]# ckp_regedit -d SOFTWARE\\CheckPoint\\FW1 DISABLE_3DES
Verify that the global attribute DISABLE_3DES was removed from the Registry:
Either with "ckp_regedit " command:
[Expert@HostName:0]# ckp_regedit -p SOFTWARE\\CheckPoint\\FW1 DISABLE_3DES
Output should be empty
Or with "grep " command:
[Expert@HostName:0]# grep DISABLE_3DES $CPDIR/registry/HKLM_registry.data
Output should be empty
Restart Check Point services:
Important Note: In cluster, this will cause fail-over.
[Expert@HostName:0]# cpstop ; cpstart
Note: You can also use ThreatEmulation port 18194 as a solution to disable 3DES for a local ThreatEmulation appliance (Cloud Connection and SandBlast Extension for browsers).
Related solutions:
Show / Hide instructions for Mobile Access
Check Point has adopted a new approach to resolving this issue: (3DES is now disabled, by default. If you choose to enable 3DES, use the new registry: ENABLE_3DES .) This problem was fixed. The fix is included in:
It is possible to control the use of 3DES on Security Gateway by the global attribute EN ABLE _3DES :
To enable the use of 3DES:
Note: This change will survive reboot.
Connect to the command line on the involved Check Point Security Gateway / each cluster member.
Login to Expert mode.
Backup the Check Point Registry:
[Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_ORIGINAL
Add the global attribute ENABLE_3DES to the Registry and set its value to 1 (one):
[Expert@HostName:0]# ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 ENABLE_3DES 1
Verify that the global attribute ENABLE_3DES was added to the Registry with value "1":
Either with "ckp_regedit " command:
[Expert@HostName:0]# ckp_regedit -p SOFTWARE\\CheckPoint\\FW1 | grep --color ENABLE_3DES
Output should be:SOFTWARE/CheckPoint/FW1 : { CurrentVersion=[s]6.0 ENABLE_3DES =[s]1 }
Or with "grep " command:
[Expert@HostName:0]# grep ENABLE_3DES $CPDIR/registry/HKLM_registry.data
Output should be:
:ENABLE_3DES (1 )
Restart Check Point services:
Important Note: In cluster, this will cause fail-over.
[Expert@HostName:0]# cpstop ; cpstart
To disable the use of 3DES (default configuration):
Note: This change will survive reboot.
Connect to the command line on the involved Check Point Security Gateway / each cluster member.
Login to Expert mode.
Backup the Check Point Registry:
[Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_ORIGINAL
Remove the global attribute ENABLE_3DES from the Registry:
[Expert@HostName:0]# ckp_regedit -d SOFTWARE\\CheckPoint\\FW1 ENABLE_3DES
Verify that the global attribute ENABLE_3DES was removed from the Registry:
Either with "ckp_regedit " command:
[Expert@HostName:0]# ckp_regedit -p SOFTWARE\\CheckPoint\\FW1 ENABLE_3DES
Output should be empty
Or with "grep " command:
[Expert@HostName:0]# grep ENABLE_3DES $CPDIR/registry/HKLM_registry.data
Output should be empty
Restart Check Point services:
Important Note: In cluster, this will cause fail-over.
[Expert@HostName:0]# cpstop ; cpstart
Note: Check Point previously resolved this issue as follows: (3DES was enabled, by default. If you chose to disable 3DES, you would use the new registry: DISABLE_3DES .)
It is possible to control the use of 3DES on Security Gateway by the global attribute DISABLE_3DES :
To disable the use of 3DES:
Note: This change will survive reboot.
Connect to the command line on the involved Check Point Security Gateway / each cluster member.
Login to Expert mode.
Backup the Check Point Registry:
[Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_ORIGINAL
Add the global attribute DISABLE_3DES to the Registry and set its value to 1 (one):
[Expert@HostName:0]# ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 DISABLE_3DES 1
Verify that the global attribute DISABLE_3DES was added to the Registry with value "1":
Either with "ckp_regedit " command:
[Expert@HostName:0]# ckp_regedit -p SOFTWARE\\CheckPoint\\FW1 | grep --color DISABLE_3DES
Output should be:SOFTWARE/CheckPoint/FW1 : { CurrentVersion=[s]6.0 DISABLE_3DES =[s]1 }
Or with "grep " command:
[Expert@HostName:0]# grep DISABLE_3DES $CPDIR/registry/HKLM_registry.data
Output should be:
:DISABLE_3DES (1 )
Restart Check Point services:
Important Note: In cluster, this will cause fail-over.
[Expert@HostName:0]# cpstop ; cpstart
To enable the use of 3DES (default configuration):
Note: This change will survive reboot.
Connect to the command line on the involved Check Point Security Gateway / each cluster member.
Login to Expert mode.
Backup the Check Point Registry:
[Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_ORIGINAL
Remove the global attribute DISABLE_3DES from the Registry:
[Expert@HostName:0]# ckp_regedit -d SOFTWARE\\CheckPoint\\FW1 DISABLE_3DES
Verify that the global attribute DISABLE_3DES was removed from the Registry:
Either with "ckp_regedit " command:
[Expert@HostName:0]# ckp_regedit -p SOFTWARE\\CheckPoint\\FW1 DISABLE_3DES
Output should be empty
Or with "grep " command:
[Expert@HostName:0]# grep DISABLE_3DES $CPDIR/registry/HKLM_registry.data
Output should be empty
Restart Check Point services:
Important Note: In cluster, this will cause fail-over.
[Expert@HostName:0]# cpstop ; cpstart
Show / Hide instructions for VPN Site-to-Site community
Make sure that 3DES is not chosen in the VPN Site-to-Site community properties:
In R77.X SmartDashboard:
In R80 SmartConsole:
Go to IPSec VPN tab
In the left tree, click on Communities
Select the relevant community - click on Edit... button
Go to Encryption pane
In Encryption Suite section:
If "VPN A
" is selected, then select any other suite
If "Custom
" is selected, then click on Custom Encryption... - verify that "3DES
" is not selected in any field
If any setting was changed, then click on OK and install policy.
Go to Objects menu - click on Object Explorer
In the left tree, click on VPN Communities
Select the relevant community - click on pencil button
Go to Encryption pane
In Encryption Suite section:
If "Use this encryption suite
" is selected, then verify that "VPN A
" is not selected
If "Custom encryption suite
" is selected, then verify that "3DES
" is not selected in any field
If any setting was changed, then click on OK and install policy.
Show / Hide instructions for VPN Remote Access community
Make sure that 3DES is not chosen in the Remote Access global properties:
Go to Global Properties :
In R77.X SmartDashboard:
In R80.X SmartConsole:
Go to Policy menu
Click on Global Properties...
Go to Application menu
Click on Global properties...
Expand Remote Access
Click on VPN - Authentication and Encryption
In Encryption algorithms section, click on Edit... button
On both Phase 1 and Phase 2 tabs, verify that "3DES
" is not selected in any field
If any setting was changed, then click on OK and install policy.
Related solutions:
Show / Hide instructions for Gaia Embedded
This problem was fixed. The fix is included in:
It is possible to control the use of 3DES on Security Gateway by the global attribute DISABLE_3DES :
To disable the use of 3DES:
Note: This change will survive reboot.
Connect to the command line on the involved appliance.
Log in to the Expert mode.
Backup the Check Point Registry:
[Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_ORIGINAL
Add the global attribute DISABLE_3DES to the Registry and set its value to 1 (one):
[Expert@HostName:0]# ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 DISABLE_3DES 1
Verify that the global attribute DISABLE_3DES was added to the Registry with value "1":
Either with "ckp_regedit " command:
[Expert@HostName:0]# ckp_regedit -p SOFTWARE\\CheckPoint\\FW1 | grep --color DISABLE_3DES
Output should be:SOFTWARE/CheckPoint/FW1 : { CurrentVersion=[s]6.0 DISABLE_3DES =[s]1 }
Or with "grep " command:
[Expert@HostName:0]# grep DISABLE_3DES $CPDIR/registry/HKLM_registry.data
Output should be:
:DISABLE_3DES (1 )
Restart Check Point services:
Important Note: In cluster, this will cause fail-over.
[Expert@HostName:0]# cpstop ; cpstart
To enable the use of 3DES (default configuration):
Note: This change will survive reboot.
Connect to the command line on the involved Check Point Security Gateway / each cluster member.
Log in to the Expert mode.
Backup the Check Point Registry:
[Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_ORIGINAL
Remove the global attribute DISABLE_3DES from the Registry:
[Expert@HostName:0]# ckp_regedit -d SOFTWARE\\CheckPoint\\FW1 DISABLE_3DES
Verify that the global attribute DISABLE_3DES was removed from the Registry:
Either with "ckp_regedit " command:
[Expert@HostName:0]# ckp_regedit -p SOFTWARE\\CheckPoint\\FW1 DISABLE_3DES
Output should be empty
Or with "grep " command:
[Expert@HostName:0]# grep DISABLE_3DES $CPDIR/registry/HKLM_registry.data
Output should be empty
Restart Check Point services:
Important Note: In cluster, this will cause fail-over.
[Expert@HostName:0]# cpstop ; cpstart
Show / Hide instructions for IPSO Voyager with SSL enabled
Follow these steps to change the current configuration:
Save the current IPSO OS configuration (either in Network Voyager, or in Clish).
Connect to the command line on IP Series appliance.
Change the file system to "read-write" mode:
HostName[admin]# mount -u /
Backup the current configuration template:
HostName[admin]# cp /web/conf/httpd.conf.templ /web/conf/httpd.conf.templ_BKP
Edit the current configuration template in Vi editor:
HostName[admin]# vi /web/conf/httpd.conf.templ
Search for one or more lines that each begin with "SSLCipherSuite
".
Replace each line found in Step 6 with the following (this is a single line):
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
Save the changes and exit from Vi editor.
Change the file system back to "read-only" mode:
HostName[admin]# mount -u -r /
Update the current configuration of HTTPD daemon based on the modified configuration template:
HostName[admin]# template_xlate ':' /web/conf/httpd.conf.templ /var/etc/httpd.conf < /config/active
Restart the HTTPD daemon:
HostName[admin]# tellpm process:httpd HostName[admin]# tellpm process:httpd t
Follow these steps to verify that you have applied the changes correctly:
Wait at least one minute after applying the above changes.
Try to connect to the Network Voyager using a web browser.
Note: If connection to the Network Voyager fails, it can mean the above changes was not applied correctly. Follow the next procedure (below) to revert the above changes.
To verify that triple-DES is no longer used, issue the following command:
HostName[admin]# openssl s_client -connect localhost:443 -cipher 3DES
It should fail, and exit immediately, with an error like the following:674896232:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/work/jdilatus/wa/ipso6_main/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:769:
If it does not fail, then terminate it with CTRL+C and follow the next procedure (below) to revert the above changes.
Follow these steps to revert the above changes (before applying them again):
Connect to the command line.
Change the file system to "read-write" mode:
HostName[admin]# mount -u /
Restore the backup file (which you saved earlier):
HostName[admin]# cp /web/conf/httpd.conf.templ_BKP /web/conf/httpd.conf.templ
Change the file system back to "read-only" mode:
HostName[admin]# mount -u -r /
Update the current configuration of HTTPD daemon based on the modified configuration template:
HostName[admin]# template_xlate ':' /web/conf/httpd.conf.templ /var/etc/httpd.conf < /config/active
Restart the HTTPD daemon:
HostName[admin]# tellpm process:httpd HostName[admin]# tellpm process:httpd t
Show / Hide instructions for Endpoint Security Server
Connect to the command line.
Log in to the Expert mode.
Backup the current $UEPMDIR/apache22/conf/ssl.conf file:
[Expert@HostName:0]# cp -v $UEPMDIR/apache22/conf/ssl.conf $UEPMDIR/apache22/conf/ssl.conf_ORIGINAL
Edit the current $UEPMDIR/apache22/conf/ssl.conf file:
[Expert@HostName:0]# vi $UEPMDIR/apache22/conf/ssl.conf
Go to the following section:
# SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. SSLCipherSuite AES256-SHA:AES128-SHA:DES-CBC3-SHA
Change the SSLCipherSuite line:
from:
SSLCipherSuite AES256-SHA:AES128-SHA:DES-CBC3-SHA
to:
SSLCipherSuite AES256-SHA:AES128-SHA
Save the changes and exit from Vi editor.
Reboot the machine for the changes to take effect.
Applies To:
02337728 , 02346611 , 02347912 , 02372514 , 02422245 , 02339829 , 02423402 , 02351735 , 02340541 , 02378236 , 02349390 , 02347435 , 02385100 , 02527710
02364390