Support Center > Search Results > SecureKnowledge Details
Status of OpenSSL CVEs
Solution

This article applies to all Check Point software products, unless stated otherwise for specific CVE.

Note: This article does not list all the known CVEs for OpenSSL - only those that were explicitly checked by Check Point.

CVE Comment
2017
CVE-2018-0739 Not vulnerable
CVE-2018-0733 Not vulnerable
CVE-2017-3733 Not vulnerable
CVE-2017-3732

Not relevant

Note: Check Point products do not use the FFDHE ciphersuite
CVE-2017-3731 Relevant only when using an RC4-MD5 ciphersuite, which all customers should have disabled by now
per sk106478 - Check Point response to CVE-2015-2808 (Bar Mitzvah)
CVE-2017-3730

Not relevant

Note: Check Point products do not use the affected versions 1.1.0 prior to 1.1.0d
2016
CVE-2016-6309 Not vulnerable
CVE-2016-6308 Not vulnerable (refer to sk113500)
CVE-2016-6307 Not vulnerable (refer to sk113500)
CVE-2016-6306 Refer to sk113500 - Check Point response to OpenSSL Security advisory 22 September 2016
CVE-2016-6305 Not vulnerable (refer to sk113500)
CVE-2016-6304 Refer to sk113500 - Check Point response to OpenSSL Security advisory 22 September 2016
CVE-2016-6303 Not vulnerable (refer to sk113500)
CVE-2016-6302 Not vulnerable (refer to sk113500)
CVE-2016-2182 Not vulnerable (refer to sk113500)
CVE-2016-2181 Not vulnerable (refer to sk113500)
CVE-2016-2180 Not vulnerable (refer to sk113500)
CVE-2016-2178 Not vulnerable (refer to sk113500)
CVE-2016-2177 Not vulnerable (refer to sk113500)
CVE-2016-2176

Not vulnerable

Exception: LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)

CVE-2016-2109

Not vulnerable

Exception: LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)

CVE-2016-2108

Not vulnerable

Exception: LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)

CVE-2016-2107

Not vulnerable

Exception: LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)

CVE-2016-2106

Not vulnerable

Exception: LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)

CVE-2016-2105

Not vulnerable

Exception: LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)

CVE-2016-0800
  • HTTPS Portals on Gaia OS / SecurePlatform OS are not vulnerable

  • HTTPS Portals on Gaia Embedded OS (600/700/1100/1200R/1400 appliances) are not vulnerable

  • IPSO Network Voyager (over HTTPS) is not vulnerable

  • Recommendations for Security Gateway configured as Mail Transfer Agent (MTA) and used as the organization MX record:

    1. [Preferred] On the Security Gateway configured as Mail Transfer Agent (MTA), use a dedicated SSL certificate that is not used anywhere else.

    2. [Optional, but recommended] Use the IPS protection "Secure Sockets Layer Version 2.0" to block SSLv2 connections.

    3. [Optional, but recommended] Use the IPS protection "Non Compliant SSL" to block SSLv2 connections on TCP port 25:

      1. In SmartDashboard, go to IPS tab
      2. In the left upper pane, click on Protections
      3. Search for Non Compliant SSL
      4. Double-click on this protection
      5. Double-click on the IPS profile
      6. Select Override IPS Policy with - select Prevent
      7. Check the box Protect SMTPS over SMTP Port (TCP/25)
      8. Click on OK
      9. Repeat Steps E - H for each IPS Profile
      10. Click on OK
      11. Install policy
    4. Follow the sk102989 -
      section "(III) Configuration recommendations for Check Point Portals and OS" -
      sub-section "Recommendations for Mail Transfer Agent (MTA)" -
      disable SSLv2 and SSLv3 (and use only TLSv1).
      Note: Has wide impact - will also block reception of clear text e-mails over SMTP.

  • LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)
CVE-2016-0799

Not vulnerable

Exception: LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)

CVE-2016-0798

Not vulnerable

Exception: LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)

CVE-2016-0797

Not vulnerable

Exception: LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)

CVE-2016-0705

Not vulnerable

Exception: LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)

CVE-2016-0704

Not vulnerable

Exception: LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)

CVE-2016-0703
  • HTTPS Portals on Gaia OS / SecurePlatform OS are not vulnerable

  • HTTPS Portals on Gaia OS Embedded (600/700/1100/1200R/1400 appliances) are not vulnerable

  • IPSO Network Voyager (over HTTPS) is not vulnerable

  • For Security Gateway configured as Mail Transfer Agent (MTA) and used as the organization MX record, refer to sk102989 -
    section "(III) Configuration recommendations for Check Point Portals and OS" -
    sub-section "Recommendations for Mail Transfer Agent (MTA)" -
    disable SSLv2 and SSLv3 (and use only TLSv1)

  • LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)

CVE-2016-0702

Not vulnerable

Exception: LOM card firmware lower than 2.30 on 13000 / 21000 / Smart-1 series appliances is vulnerable (refer to sk101241)

CVE-2016-0701 Not vulnerable
2015
CVE-2015-3197 Not vulnerable
CVE-2015-3196 Not vulnerable
CVE-2015-3195 Not vulnerable
CVE-2015-3194 Not vulnerable
CVE-2015-3193 Not vulnerable
CVE-2015-2808 Refer to sk106499 - Check Point response to CVE-2015-2808 (Bar Mitzvah) and OpenSSL CVE-2015-1789
CVE-2015-1794 Not vulnerable
CVE-2015-1793 Not vulnerable
CVE-2015-1792

LOM card firmware is vulnerable on the following appliances:

  • 4000 series - lower than 2.1.2 is vulnerable (refer to sk97621)
  • 12000 series - lower than 2.1.2 is vulnerable (refer to sk97621)
  • 13000 series - lower than 2.30 is vulnerable (refer to sk101241)
  • 21000 series - lower than 2.30 is vulnerable (refer to sk101241)
  • Smart-1 series - lower than 2.30 is vulnerable (refer to sk101241)
Note: All other Check Point products are not vulnerable (because they do not use OpenSSL CMS code)
CVE-2015-1789 Refer to sk106499 - Check Point response to CVE-2015-2808 (Bar Mitzvah) and OpenSSL CVE-2015-1789
CVE-2015-1788

Not relevant

Note: Check Point products do not use OpenSSL ECParameters code
CVE-2015-1787 Not vulnerable - refer to sk105284 - Check Point response to OpenSSL Security advisory 19 March 2015
CVE-2015-0293 Not vulnerable - refer to sk105284 - Check Point response to OpenSSL Security advisory 19 March 2015
CVE-2015-0292 Not vulnerable - refer to sk105284 - Check Point response to OpenSSL Security advisory 19 March 2015
CVE-2015-0291 Not vulnerable - refer to sk105284 - Check Point response to OpenSSL Security advisory 19 March 2015
CVE-2015-0290 Not vulnerable - refer to sk105284 - Check Point response to OpenSSL Security advisory 19 March 2015
CVE-2015-0289 Not vulnerable - refer to sk105284 - Check Point response to OpenSSL Security advisory 19 March 2015
CVE-2015-0288 Not vulnerable - refer to sk105284 - Check Point response to OpenSSL Security advisory 19 March 2015
CVE-2015-0287 Not vulnerable - refer to sk105284 - Check Point response to OpenSSL Security advisory 19 March 2015
CVE-2015-0286 Not vulnerable - refer to sk105284 - Check Point response to OpenSSL Security advisory 19 March 2015
CVE-2015-0285 Not vulnerable - refer to sk105284 - Check Point response to OpenSSL Security advisory 19 March 2015
CVE-2015-0209 Not vulnerable - refer to sk105284 - Check Point response to OpenSSL Security advisory 19 March 2015
CVE-2015-0208 Not vulnerable - refer to sk105284 - Check Point response to OpenSSL Security advisory 19 March 2015
CVE-2015-0207 Not vulnerable - refer to sk105284 - Check Point response to OpenSSL Security advisory 19 March 2015
CVE-2015-0206 Not vulnerable
CVE-2015-0205 Not vulnerable
CVE-2015-0204 Refer to:
 
2014
CVE-2014-8275 Not vulnerable
CVE-2014-8176

Not vulnerable

Note: Check Point products do not use OpenSSL DTLS code

CVE-2014-5139 Not vulnerable
CVE-2014-3572 Not vulnerable
CVE-2014-3571 Not vulnerable
CVE-2014-3570 Not vulnerable
CVE-2014-3569

Not relevant

Follow sk102989 - Check Point response to the POODLE Bites vulnerability

Note: This CVE was created after fixing the CVE-2014-3568. Check Point is not vulnerable to CVE-2014-3568, so the fix for CVE-2014-3568 is not included.

CVE-2014-3568

Not vulnerable

Follow sk102989 - Check Point response to the POODLE Bites vulnerability

Note: Check Point openSSL is not compiled with "-no-ssl3"

CVE-2014-3567

Not vulnerable

Follow sk102989 - Check Point response to the POODLE Bites vulnerability

CVE-2014-3513 Not relevant

Note: Check Point products do not use OpenSSL DTLS code

CVE-2014-3512

Not relevant

Note: Check Point products do not support Secure Remote Password (SRP)
CVE-2014-3511 Not vulnerable
CVE-2014-3510

Not relevant

Note: Check Point products do not use OpenSSL DTLS code
CVE-2014-3509 Not vulnerable
CVE-2014-3508

Not relevant

Note: Check Point products do not use OpenSSL's pretty print and Check Point logs are kept private
CVE-2014-3507

Not relevant

Note: Check Point products do not use OpenSSL DTLS code
CVE-2014-3506

Not relevant

Note: Check Point products do not use OpenSSL DTLS code
CVE-2014-3505

Not relevant

Note: Check Point products do not use OpenSSL DTLS code
CVE-2014-3470 Not vulnerable (this CVE does not affect OpenSSL v0.9.8)
CVE-2014-0224 Refer to sk101186 - SSL/TLS MITM vulnerability
CVE-2014-0221 Not vulnerable (this CVE does not affect OpenSSL v0.9.8)
CVE-2014-0198 Not vulnerable (this CVE does not affect OpenSSL v0.9.8)
CVE-2014-0195 Not vulnerable (this CVE does not affect OpenSSL v0.9.8)
CVE-2014-0160 Refer to sk100173 - Check Point response to OpenSSL vulnerability
CVE-2014-0076

Not vulnerable

Note: The bug is in code that Check Point products do not use
 
2013
CVE-2013-6450

Not relevant

Note: Check Point products do not use DTLS
CVE-2013-6449

Not relevant

Note: OpenSSL used in Check Point products is not vulnerable because it does not have TLS 1.2
CVE-2013-4353

Not relevant

Note: OpenSSL used in Check Point products is not vulnerable
CVE-2013-0169

Relevant

Note: The attack is impractical. Attacker needs to Man-in-the-Middle 8 million connections to gain one plaintext block. The result is more serious for DTLS. However, Check Point does not use DTLS for anything. The fix in OpenSSL has performance issues. Check Point does not plan to fix it.

CVE-2013-0166

Not relevant

Note: Check Point products perform their own certificate validation
 
2012
CVE-2012-2686 Not relevant
CVE-2012-2333 Not relevant
CVE-2012-1165 Not relevant
CVE-2012-0884 Not vulnerable
CVE-2012-0027 Not relevant
 
2011
CVE-2011-4619 Not relevant
CVE-2011-4577 Not relevant
CVE-2011-4576 Not vulnerable (fixed in R75.40)
CVE-2011-4109 Not relevant
CVE-2011-4108 Not relevant
CVE-2011-3210 Not relevant
CVE-2011-1945 Not relevant
 
2010
CVE-2010-5298

Not vulnerable (fix for this CVE is already integrated)

CVE-2010-4252 Not relevant
CVE-2010-4180 Not relevant
CVE-2010-0433 Not relevant
 
2009
CVE-2009-4355 Not vulnerable
CVE-2009-3555 Not relevant
CVE-2009-3245 Not relevant
CVE-2009-2409 Not relevant
CVE-2009-1386 Not relevant
CVE-2009-0789 Not relevant
CVE-2009-0590 Not relevant
 
2008
CVE-2008-7270 Not relevant
CVE-2008-5077 Not relevant
 
2006
CVE-2006-7250 Not relevant
CVE-2006-4343 Not relevant
CVE-2006-3738 Not vulnerable (refer to sk33771)
CVE-2006-2940 Not vulnerable, fix is included in Check Point OpenSSL library
CVE-2006-2937 Not vulnerable / not relevant

 

Clarifications:

Status Meaning
Not relevant
  • Either Check Point does not use the vulnerable code.
  • Or Check Point does not have this code in released versions.
  • Or Check Point changed the code in such a way that this vulnerability does not apply anymore.
Not vulnerable
  • The issue is not relevant to Check Point code (the affected code does not exist or is not used in Check Point software).
  • The issue was relevant to Check Point code and Check Point has already fixed it.
Relevant
  • The issue exists in Check Point code.

 

How to check the version of the installed OpenSSL package:

[Expert@HostName:0]# rpm -qa | grep openssl

Example:
[Expert@MGMT:0]# rpm -qa | grep openssl
openssl-0.9.8b-8.3cp738000011
[Expert@MGMT:0]#

 

How to check which CVEs were fixed in the installed OpenSSL package:

[Expert@HostName:0]# rpm -q --changelog $(rpm -qa | grep openssl) | grep CVE

Example:
[Expert@MGMT:0]# rpm -q --changelog $(rpm -qa | grep openssl) | grep CVE
- fix CVE-2007-3108 - side channel attack on private keys (#322891)
- fix CVE-2007-5135 - off-by-one in SSL_get_shared_ciphers (#309871)
- fix CVE-2007-4995 - out of order DTLS fragments buffer overflow (#321211)
- CVE-2006-2940 fix was incorrect (#208744)
- fix CVE-2006-2937 - mishandled error on ASN.1 parsing (#207276)
- fix CVE-2006-2940 - parasitic public keys DoS (#207274)
- fix CVE-2006-3738 - buffer overflow in SSL_get_shared_ciphers (#206940)
- fix CVE-2006-4343 - sslv2 client DoS (#206940)
- fix CVE-2006-4339 - prevent attack on PKCS#1 v1.5 signatures (#205180)
[Expert@MGMT:0]#
Applies To:
  • This SK replaces sk101171

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment