Check Point Response to Intel Side Channel Attacks (Meltdown, Spectre, Foreshadow) (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754, CVE-2018-3693, CVE-2018-3639, CVE-2018-3640, CVE-2018-3620, CVE-2018-3646, CVE-2018-3615)
Since code execution privileges on Check Point appliances are to be provided to administrators only, these privilege escalation attacks are of lower relevance to Check Point appliances. The analysis below is relevant to both findings (Jan 3rd and May 21st ).
Frequently Asked Questions (FAQ)
Q1: What is a local privilege escalation attack?
A1: It is an attack vector where there is a local process that is able to access or run code that requires higher privilege or that wasn't supposed to be accessible at all.
Q2: Why is this less interesting in the case of Check Point appliances?
A2: Check Point appliances run various hardened operating systems, including GAiA, SecurePlatform, and IPSO. A user on this system is intended to be one that is trusted by the local administrator. Moreover, in order to run arbitrary programs one needs to have Expert access and in this case, is already with the highest possible permissions of the root user.
Note: The verdict is the same for Open Servers installed with Check Point GAiA.
Q3: Is Check Point going to provide a patch?
A3: Check Point is working with the relevant parties to create a patch. As the attack vector is low severity on Check Point appliances, we'll provide a patch only after we gain confidence on its quality and performance impact.
Q4: Can malicious code being analyzed on Check Point TEX appliances or cloud service exploit these vulnerabilities against the appliance's operating system?
A4: No. A feature which is used in the exploit phase is disabled on our appliances.
Q5: How will this affect vSEC for Public Cloud running on different platforms?
- On AWS: Check Point instances are not affected.
- On Azure: Every Virtual Machine in Azure will be automatically rebooted (see this link for more information).
On a Single Gateway and a Management Server expect the standard reboot downtime. In a Cluster setup, this will cause a Cluster failover and a standard failover downtime. Since there is a 30 minutes period between maintenance for each Availability Set, only one Gateway in each Cluster will be rebooted at a time.
Q6: Is my Check Point gateway running on XOS vulnerable?
A6: X-Series Response from Symantec/Crossbeam (09-Jan-2018)
Q7: Are Check Point SMB (Small and Medium Business) embedded systems running Linux vulnerable?
A7: SMB Appliances:
- 1200R appliances are not vulnerable to any of the variants.
- The 700 and 1400 appliance series are not vulnerable to Meltdown (variants 3 and 3a). Vulnerability to Spectre is currently under investigation. (Note: Variant 3 = Rogue data cache load (CVE-2017-5754). ARM has also included information on a related variant, known as 3a.)
- The 600 and 1100 appliance series are not vulnerable to Meltdown and Spectre.
SMB embedded systems running Linux are closed systems that do not allow running arbitrary code. Therefore, our assessment is that SMB appliances are not exposed to exploits based on the above vulnerabilities. We will continue to work closely with our SoC manufacturers to investigate these issues. When security patches will be available, we will assess code integration and fixes according to the security and performance impact.
Note: A new IPS protection has been added for the Intel vulnerabilities. Refer to https://www.checkpoint.com/defense/advisories/public/2018/cpai-2018-0011.html
Check Point will update this article when more information comes in.