Support Center > Search Results > SecureKnowledge Details
Check Point response to SegmentSmack (CVE-2018-5390) and FragmentSmack (CVE-2018-5391)
Symptoms
  • On August 6, 2018, a vulnerability named SegmentSmack (CVE-2018-5390, CVE-2018-6922) was published, it demonstrates how an attacker could exhaust the machine's CPU by sending many small TCP segments within the TCP window (no intrusion impact).
  • On August 14, 2018, a vulnerability named FragmentSmack (CVE-2018-5391) was published, it demonstrates how an attacker could exhaust the machine's CPU by sending many small IP fragments that assemble a very large packet (no intrusion impact).
Cause

Attacker utilizing FragmentSmack or SegmentSmack can cause excessive CPU utilization to the security gateway. This is due to the way the segments and fragments are handled by the Security Gateway.

The issues were announced on CERT/CC under VU#962459 and VU#641765.

SegmentSmack could only be applied on a connection with protection that requires Active Streaming (SSL Inspection, Check Point Proxy, VoIP, Header Spoofing) and either this TCP connection is allowed to the internal network or local user is tricked to connect to a remote malicious server. Therefore it is only relevant for perimeter gateways.


Solution

Check Point provides a Hotfix to improve the resiliency against these attacks. The Hotfix is intended for deployment on perimeter Gateway.

As an immediate workaround for FragmentSmack, you can disable fragments through penalty box. Note that this may cause side-effects; refer to sk74520 before applying this solution.

For Security Management, Log Servers, and other network devices (Check Point or not), Check Point recommends always to have them protected by a Security Gateway with Deep Inspection Scanning Software Blades. Installing the Hotfix on the Security Gateway will protect the hosts behind it.

Hotfix Availability 

Products Availability
R80.10 Security Gateway

R77.30 Security Gateway on Gaia
R77.30 Security Gateway on SecurePlatform Contact Check Point Support to get a Hotfix for this issue.
A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
SMB appliances Download and install Check Point R77.20.80 Build 990172437 for SMB appliances:
Releases after R77.20.80 Build 990172437 are not vulnerable.
60000 / 40000 Appliances Download and install Take 83 of Jumbo Hotfix Accumulator for R76SP.50 for 60000 / 40000 Appliances
CloudGuard Gateway for NSX
  • R80.10 CloudGuard Gateway for NSX: will be available soon
  • R77.30 CloudGuard Gateway v4 for NSX: Hotfix Link
  • For pre-R77.30 CloudGuard Gateway v4 for NSX, upgrade to R77.30 v4 or R80.10 (see two entries above) and install the appropriate Hotfix. 
All other Security Gateway versions Update to a supported release and install the relevant Hotfix.

* Fix for CloudGuard Gateway for AWS, Azure and GCP is included in Hotfixes for R80.10/R77.30 Security Gateway.


Security Gateway Installation Instructions and Downloads

This section provides the Hotfix for:

Click Here to Show the Entire Section
  • Show / Hide instructions for CPUSE in Gaia Portal
    • Online Installation

      1. CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent.
        Otherwise, users should manually install the latest build of CPUSE Agent from sk92449.
      2. Connect to the Gaia Portal on your Check Point machine.
      3. Navigate to Upgrades (CPUSE) pane - click on Status and Actions.
      4. Verify the package - check whether this package can be installed without conflicts:
        Select the hotfix package R<XX> Hotfix for sk134253 - click on the More button on the toolbar - click on the Verifier.
      5. Select the hotfix package R<XX> Hotfix for sk134253 - click on the Install Update button on the toolbar.
      6. Reboot is required.
    • Offline Installation

      1. Install the latest build of CPUSE Agent from sk92449.
      2. Download the Gaia CPUSE Offline package:
        OS R80.10 R77.30
        Gaia - CPUSE Offline
      3. Connect to the Gaia Portal on your Check Point machine.
      4. Navigate to Upgrades (CPUSE) pane - click on Status and Actions.
      5. On the toolbar, click on the More button - select Import Package - browse for the CPUSE Offline package (TGZ file) - click on the Upload.
      6. Verify the package - check whether this package can be installed without conflicts:
        Select the hotfix package R<XX> Hotfix for sk134253 - click on the More button on the toolbar - click on the Verifier.
      7. Select the hotfix package R<XX> Hotfix for sk134253 - click on the Install Update button on the toolbar.
      8. Reboot is required.

    Notes:

  • Show / Hide instructions for CPUSE in Gaia Clish
    • Online Installation

      1. CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent.
        Otherwise, users should manually install the latest build of CPUSE Agent from sk92449.
      2. Connect to the command line on Gaia OS.
      3. Log in to Clish.
      4. Acquire the lock over Gaia configuration database:
        HostName> lock database override
      5. Import the package from Check Point cloud:
        • On R80.10:
          HostName> installer import cloud Check_Point_R80.10_JHF_T121_Hotfix_sk134253_FULL.tgz
        • On R77.30:
          HostName> installer import cloud Check_Point_R77.30_JHF_T317_Hotfix_sk134253_FULL.tgz
      6. Show the packages that are available for download:
        HostName> show installer packages available-for-download
      7. Download the package from Check Point cloud:
        HostName> installer download <Package_Number>
      8. Verify that this package can be installed without conflicts:
        HostName> installer verify <Package_Number>
      9. Install the downloaded package:
        HostName> installer install <Package_Number>
        Note: The progress (in percent) will be displayed in Clish.
      10. Reboot is required.
    • Offline Installation

      1. Download the Gaia CPUSE Offline package:
        OS R80.10 R77.30
        Gaia - CPUSE Offline
      2. Install the latest build of CPUSE Agent from sk92449.
      3. Transfer the offline package to the target Gaia machine (into some directory, e.g., /some_path_to_fix/).
      4. Connect to the command line on target Gaia OS.
      5. Log in to Clish.
      6. Acquire the lock over Gaia configuration database:
        HostName> lock database override
      7. Import the package from the hard disk:
        HostName> installer import local <Full_Path>/Check_Point_R<XX>_JHF_T<YY>_Hotfix_sk134253_FULL.tgz.tgz
      8. Show the imported packages:
        HostName> show installer packages imported
      9. Verify that this package can be installed without conflicts:
        HostName> installer verify <Package_Number>
      10. Install the imported package:
        HostName> installer install <Package_Number>
      11. Reboot is required.

    Notes:



Uninstall Instructions

Click Here to Show the Entire Section
  • Show / Hide instructions for CPUSE in Gaia Portal
    1. CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent.
      Otherwise, users should manually install the latest build of CPUSE Agent from sk92449.
    2. Connect to the Gaia Portal on your Check Point machine.
    3. Navigate to Upgrades (CPUSE) pane - click on Status and Actions.
    4. Select the hotfix package R<XX> Hotfix for sk134253 - click on the Uninstall button on the toolbar.
    5. Reboot is required.

    Notes:

  • Show / Hide instructions for CPUSE in Gaia Clish
    1. Install the latest build of CPUSE Agent from sk92449.
    2. Connect to the command line on target Gaia OS.
    3. Log in to Clish.
    4. Acquire the lock over Gaia configuration database:
      HostName> lock database override
    5. Show the installed packages:
      HostName> show installer packages installed
    6. Uninstall the hotfix package:
      HostName> installer uninstall <Package_Number>
    7. Reboot is required.

    Notes:



Revision History

Show / Hide revision history

Date Description
22 August 2018
  • Added fix for R80.10 CloudGuard Gateway for NSX
21 Aug 2018
  • Added fix for 60000 / 40000 Appliances
  • Added Ongoing Take 142 of R80.10 Jumbo Hotfix Accumulator
  • Added Ongoing Take 336 of R77.30 Jumbo Hotfix Accumulator
16 Aug 2018
  • First release of this article

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment