Check Point response to OSPF LSA spoofing vulnerability (CVE-2013-0149, CVE-2013-7311)

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk94490
Technical Level
Severity	High
Product	Quantum Security Gateways
Version	R70 (EOL), R71 (EOL), R75 (EOL), R76 (EOL)
OS	IPSO 6.2, Gaia
Platform / Model	All
Date Created	21-Aug-2013
Last Modified	28-Mar-2016

Symptoms

OSPF protocol implementation is vulnerable to spoofing of Link State Advertisement (LSA) messages.
This OSPF LSA spoofing vulnerability may allow attacker, who controls a router in an Autonomous System to divert traffic, create black holes, etc.
For more details, refer to CVE-2013-0149 and the following resources:
For more details, refer to CVE-2013-7311:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7311
The following Check Point products are affected by this vulnerability:
- R75.X on Gaia OS with enabled OSPF without MD5 authentication
- R76 on Gaia OS with enabled OSPF without MD5 authentication
- R75.X and earlier on IPSO 6.2 OS with enabled OSPF without MD5 authentication
- R76 on IPSO 6.2 OS with enabled OSPF without MD5 authentication
Customers, who do not use OSPF functionality at all, or use MD5 authentication for OSPF are not affected.
SecurePlatform OS is not affected.

Solution

This problem was fixed. The fix is included in:

Check Point R77

Check Point recommends to always upgrade to the most recent version.

For other supported versions, Check Point offers a hotfix for this issue.

Table of Contents:

Hotfix availability
Hotfix installation instructions

Hotfix availability

Hotfix is available for:

Platform	Version	Installation method
Gaia OS	R75.47	Check Point Update Service Engine (CPUSE) Manual installation
Gaia OS	R76	Manual installation only
IPSO OS	R70.X R71.X R75.X	Manual installation only
IPSO OS	R76	Manual installation only Note: Hotfix is available upon request from Check Point Support

Other versions must be upgraded to one of the above versions (in order to get the most stable, secure and robust system).

Hotfix installation instructions

Note: Hotfix has to be installed on Security Gateway / each cluster member.

Show / Hide instructions for Gaia OS - R75.47 - using CPUSE Online package
1. Connect to the Gaia Portal on your Check Point machine and navigate to the 'Software Updates' pane - click on 'Status and Actions'.
2. Select the hotfix package R75.47 Hotfix for sk94490 (OSPF LSA spoofing vulnerability) - click on 'Install Update' button on the toolbar.
For detailed installation instructions, refer to sk92449: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE".
Show / Hide instructions for Gaia OS - R75.47 - using CPUSE Offline package
1. Download this CPUSE package for Offline installation (Check_Point_R75.47_OSPF_Hotfix_sk94490.tgz).
2. For detailed installation instructions, refer to sk92449: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE".
Show / Hide instructions for Gaia OS - R75.47 - using Legacy CLI
1. Hotfix has to be installed on Security Gateway / each cluster member.
2. Download this hotfix package:
  
  Platform R75.47
  
  Gaia OS (TGZ)
3. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).
4. Unpack the hotfix package:
  
  [Expert@HostName]# cd /some_path_to_fix/
  [Expert@HostName]# tar -zxvf Check_Point_OSPF_R75.47_HOTFIX_003.tgz
5. Install the hotfix:
  
  [Expert@HostName]# ./SecurePlatform_HOTFIX_NAME
  
  Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
6. Reboot the machine.
Show / Hide instructions for Gaia OS - freshly installed R76 (not upgraded to R76)
1. Hotfix has to be installed on Security Gateway / each cluster member.
2. Download this hotfix package:
  
  Platform R76
  
  Gaia OS (TGZ)
3. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).
4. Unpack the hotfix package:
  
  [Expert@HostName]# cd /some_path_to_fix/
  [Expert@HostName]# tar -zxvf Check_Point_OSPF_R76_HOTFIX_050.tgz
5. Install the hotfix:
  
  [Expert@HostName]# ./SecurePlatform_HOTFIX_NAME
  
  Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
6. Reboot the machine.
Show / Hide instructions for Gaia OS - upgraded to R76
1. Hotfix has to be installed on Security Gateway / each cluster member.
2. Check whether other hotfixes for RouteD daemon were installed. Run the following command in Clish:
  
  HostName> show routed version
3. If the RouteD version is not routed-0.1-cp989000090, then Contact Check Point Support to get a combined Hotfix for this issue (package that will include the current hotfixes and the hotfix for OSPF LSA spoofing vulnerability).
4. If the RouteD version is routed-0.1-cp989000090 (native version), then install the hotfix - proceed to next step.
5. Download this hotfix package:
  
  Platform R76
  
  Gaia OS (TGZ)
6. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).
7. Unpack the hotfix package:
  
  [Expert@HostName]# cd /some_path_to_fix/
  [Expert@HostName]# tar -zxvf Check_Point_OSPF_R76_HOTFIX_050.tgz
8. Install the hotfix (note the "-NODEP" flag at the end):
  
  [Expert@HostName]# ./SecurePlatform_HOTFIX_NAME -NODEP
  
  Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
9. Reboot the machine.
Show / Hide instructions for IPSO OS - R70.X / R71.X / R75.X
1. Hotfix has to be installed on Security Gateway / each cluster member.
2. Download this hotfix package:
  
  Platform R70.X
  R71.X
  R75.X
  
  IPSO OS (ZIP)
3. Unpack the ZIP archive (ipso-6_2-BUILD.zip).
4. Extract the ipso-6.2.tgz file.
5. Refer to Getting Started Guide and Release Notes for Check Point IPSO 6.2 - Chapter 8 'Upgrading to Check Point IPSO 6.2'
Show / Hide instructions for IPSO OS - R76
1. Hotfix has to be installed on Security Gateway / each cluster member.
2. Contact Check Point Support to get this hotfix package.
3. Unpack the ZIP archive (ipso-6_2-BUILD.zip).
4. Extract the ipso-6.2.tgz file.
5. Refer to Getting Started Guide and Release Notes for Check Point IPSO 6.2 - Chapter 8 'Upgrading to Check Point IPSO 6.2'

This solution is about products that are no longer supported and it will not be updated

Applies To:

00264533 , 00264538 , 00264548 , 00264549 , 00264550 , 00264551 , 01208862 , 01215316 , 01226524 , 01230962 , 01245947 , 01256991 , 01262863 , 01294048 , 01294051 , 01351878 , 01365797 , 01378649 , 01403734

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating