Security issue in SSL VPN On-Demand applications
Customers of the above products are advised to install a Hotfix on the Check Point gateway. The hotfix replaces the Deployment Agent. Consequently, the next time that a user connects to the gateway, the hotfix replaces the Deployment Agent on their machine. In addition, it is recommended to patch user PCs.
HOTFIX FOR THE GATEWAY
Hotfix Installation Instructions:
Note:
- The security hotfix must be installed on top of the above specified versions (e.g. R75) or HFA/Minor Versions (e.g. R65.70) only. (Make sure you installed the required HFA before installing this security hotfix.)
- Hotfix installation should be done via CLI only (No SmartUpdate and WebUI should be used).
- The Hotfix should be installed on the Gateway/Standalone only (Not SmartCenter / Provider-1).
- Download the correct 'tgz' archive.
- Extract by running the 'tar xzvf <tgz archive name>' command from Expert mode.
- Run the executable with name starting with 'cvpn', 'fw1' or both, as applicable.
- Follow the instructions on screen.
- After the installation ends successfully, run 'cpstart' from Expert mode. Note: fw1 package requires a reboot.
Hotfix Uninstallation Instructions:
- Run the executable with name starting with 'uninstall_cvpn' or 'uninstall_fw1'.
- Follow the instructions on screen.
- After the installation ends successfully, run 'cpstart' from Expert mode. Note: fw1 package requires a reboot.
Note: when removing the 'cvpn' hotfix from the gateway, connectivity to the SSLVPN portal will be lost. To resolve this issue run the following commands:
- $CVPNDIR/scripts/cvpn_post_utility.csh
- cvpnrestart
PATCHING CLIENT MACHINES
Any of the patches described below should be run with administrative privileges. However, administrators that want to deploy these changes to user machines, logged into by users without administrative privileges, should use GPO, or the equivalent functionality for Mac. In order to verify that the patch indeed was applied, the user needs to verify the registry / blacklist file, according to the Manual patching section.
In order to update end user machines, we recommend:
If end users have administrative privileges
- End users should run both of the following patches (new version of Check Point Deployment Agent): (Important: Use Internet Explorer. Clicking the link starts immediate installation of patch.)
In case you get "Syntax error" messages, you can safely ignore them and press "OK". Verify that you finally get the "Check Point Deployment Agent was successfully deployed" message.
- Administrators should implement changes described in the Invalidating the vulnerable ActiveX and Java applet section.
Invalidating the vulnerable ActiveX and Java applet
Patch utility
-
For Windows: Download and run the
cpda_cancel.exe patch utility on Windows hosts, in order to prevent vulnerable versions of the ActiveX and Java Applet from running on the host. An Administrator who wants to run this tool remotely should run it with "-s" flag (means silent).
-
For Mac 10.6: Download and run the
cpda_cancel.sh patch utility on Mac hosts, in order to prevent vulnerable versions of the Java Applet from running on the host.
Usage:
After running the patch utility, the browser must be restarted in order for the fix to take effect (both for Windows and Mac).
Manual patching
Administrators that would like to patch client machines manually, without using the patch utility, should implement the following instructions:
- To disable vulnerable ActiveX versions, configure "Kill-Bit" by deploying registry changes in file CPDA_KillBit.zip. (Unzip the file 'CPDA_KillBit.zip' and then run 'regedit.exe CPDA_KillBit.reg').
- To disable vulnerable Applet versions from running on Oracle JRE, copy the [list of SHA-1 digests] CPDA_Java_Applet_SHA1s.txt to the JRE signed jar file blacklist file. The blacklist file is located at <Program Files>\Java\<jre_version>\lib\security\blacklist (e.g. C:\Program Files\Java\jre6\lib\security\blacklist). Note: the blacklist feature is supported starting from Oracle JRE v6 update 14.
If end users do not have administrative privileges
- The administrator first installs the hotfix on the relevant gateway. Then, he extracts the SNXComponentsShell.msi from the extender.cab file of the gateway. (For example, he extracts the SNXComponentsShell.msi from $CVPNDIR/htdocs/SNX/CSHELL/extender.cab on a Connectra gateway.)
- He should then use GPO to deploy SNXComponentsShell.msi on the client machines. He can deploy cpda_cancel.exe on the client machines, by using a login script that includes "run as administrator".
- You can verify ActiveX installation in the C:\WINDOWS\Downloaded Program Files folder on the client machines. Check SlimClient version. It should be "800005208".
Credit
Check Point thanks Johannes Greil of SEC Consult Unternehmensberatung GmbH (https://www.sec-consult.com) for responsible disclosure of this issue.
|
This solution is about products that are no longer supported and it will not be updated
|
Applies To:
- 00666396 , 00664951 , 00665279 , 00665279 , 00665318 , 00665335 , 00665337 , 00665339 , 00666387 , 00666397 , 00666737 , 00666737 , 00732495 , 00732934 , 00732942 , 00735992 , 00737340 , 00744969 , 00757505 , 00761603 , 00775081 , 00775083 , 00821871 , 00827117 , 00875644