Customers of the above products are advised to install a Hotfix on the Check Point gateway. The hotfix replaces the Deployment Agent. Consequently, the next time that a user connects to the gateway, the hotfix replaces the Deployment Agent on their machine. In addition, it is recommended to patch user PCs.

HOTFIX FOR THE GATEWAY

• Hotfix for R65.70
  • SecurePlatform
  • IPSO4.x
  • IPSO6
• Hotfix for R70.40
  • SecurePlatform 
  • IPSO6
• Hotfix for R71.30
  • SecurePlatform: cvpn_HF_R71.30.tgz (for Mobile Access Blade), fw1_HF_R71.30.tgz 
  • IPSO6: fw1_HF_R71.30_ipso6.tgz
• Hotfix for R75
  • SecurePlatform: cvpn_HF_R75.tgz (for Mobile Access Blade), fw1_HF_R75.tgz 
  • IPSO6: fw1_HF_R75_ipso6.tgz
• Hotfix for Connectra R66.1
• Hotfix for Connectra R66.1n
• Hotfix for VSX R65.20
• Hotfix for VSX R67

Hotfix Installation Instructions:

Note:

• The security hotfix must be installed on top of the above specified versions (e.g. R75) or HFA/Minor Versions (e.g. R65.70) only. (Make sure you installed the required HFA before installing this security hotfix.)
• Hotfix installation should be done via CLI only (No SmartUpdate and WebUI should be used).
• The Hotfix should be installed on the Gateway/Standalone only (Not SmartCenter / Provider-1).

1. Download the correct 'tgz' archive.
2. Extract by running the 'tar xzvf <tgz archive name>' command from Expert mode.
3. Run the executable with name starting with 'cvpn', 'fw1' or both, as applicable.
4. Follow the instructions on screen.
5. After the installation ends successfully, run 'cpstart' from Expert mode. Note: fw1 package requires a reboot.

Hotfix Uninstallation Instructions:

1. Run the executable with name starting with 'uninstall_cvpn' or 'uninstall_fw1'.
2. Follow the instructions on screen.
3. After the installation ends successfully, run 'cpstart' from Expert mode. Note: fw1 package requires a reboot.

Note: when removing the 'cvpn' hotfix from the gateway, connectivity to the SSLVPN portal will be lost. To resolve this issue run the following commands:

• $CVPNDIR/scripts/cvpn_post_utility.csh 
• cvpnrestart

PATCHING CLIENT MACHINES

Any of the patches described below should be run with administrative privileges. However, administrators that want to deploy these changes to user machines, logged into by users without administrative privileges, should use GPO, or the equivalent functionality for Mac. In order to verify that the patch indeed was applied, the user needs to verify the registry / blacklist file, according to the Manual patching section.

In order to update end user machines, we recommend:

If end users have administrative privileges

1. End users should run both of the following patches (new version of Check Point Deployment Agent): (Important: Use Internet Explorer. Clicking the link starts immediate installation of patch.)
   
   • https://sc1.checkpoint.com/sc/CPDAUpdate_ActiveX.html for ActiveX control
   • https://sc1.checkpoint.com/sc/CPDAUpdate_Java.html for Java applet

   In case you get "Syntax error" messages, you can safely ignore them and press "OK". Verify that you finally get the "Check Point Deployment Agent was successfully deployed" message.

2. Administrators should implement changes described in the Invalidating the vulnerable ActiveX and Java applet section.

Invalidating the vulnerable ActiveX and Java applet

Patch utility

• For Windows: Download and run the cpda_cancel.exe patch utility on Windows hosts, in order to prevent vulnerable versions of the ActiveX and Java Applet from running on the host. An Administrator who wants to run this tool remotely should run it with "-s" flag (means silent).
• For Mac 10.6: Download and run the cpda_cancel.sh patch utility on Mac hosts, in order to prevent vulnerable versions of the Java Applet from running on the host. Usage:
  • chmod +x ./cpda_cancel_mac.sh
  • sudo ./cpda_cancel_mac.sh

After running the patch utility, the browser must be restarted in order for the fix to take effect (both for Windows and Mac).

Manual patching

Administrators that would like to patch client machines manually, without using the patch utility, should implement the following instructions:

• To disable vulnerable ActiveX versions, configure "Kill-Bit" by deploying registry changes in file CPDA_KillBit.zip. (Unzip the file 'CPDA_KillBit.zip' and then run 'regedit.exe CPDA_KillBit.reg').
• To disable vulnerable Applet versions from running on Oracle JRE, copy the [list of SHA-1 digests] CPDA_Java_Applet_SHA1s.txt to the JRE signed jar file blacklist file. The blacklist file is located at <Program Files>\Java\<jre_version>\lib\security\blacklist (e.g. C:\Program Files\Java\jre6\lib\security\blacklist). Note: the blacklist feature is supported starting from Oracle JRE v6 update 14.

If end users do not have administrative privileges

1. The administrator first installs the hotfix on the relevant gateway. Then, he extracts the SNXComponentsShell.msi from the extender.cab file of the gateway. (For example, he extracts the SNXComponentsShell.msi from $CVPNDIR/htdocs/SNX/CSHELL/extender.cab on a Connectra gateway.)
2. He should then use GPO to deploy SNXComponentsShell.msi on the client machines. He can deploy cpda_cancel.exe on the client machines, by using a login script that includes "run as administrator".
3. You can verify ActiveX installation in the C:\WINDOWS\Downloaded Program Files folder on the client machines. Check SlimClient version. It should be "800005208".

Credit

Check Point thanks Johannes Greil of SEC Consult Unternehmensberatung GmbH (https://www.sec-consult.com) for responsible disclosure of this issue.