Support Center > Search Results > SecureKnowledge Details
Support Center
The information you are about to copy is INTERNAL! DO NOT share it with anyone outside Check Point.
 Print    Email
Check Point response to OSPF LSA spoofing vulnerability (CVE-2013-0149, CVE-2013-7311)

Solution ID: sk94490
Severity: High
Product: Security Gateway
Version: R70, R71, R75, R76
OS: IPSO 6.2, Gaia
Platform / Model: All
Date Created: 21-Aug-2013
Last Modified: 13-Jan-2015
Rate this document
[1=Worst,5=Best]
Symptoms
Solution

This problem was fixed. The fix is included in:

Check Point recommends to always upgrade to the most recent version.

 


 

For other versions, Check Point offers a hotfix for this issue.

Table of Contents:

  • Hotfix availability
  • Hotfix installation instructions

Hotfix availability

  • Hotfix is available for:

    Platform Version Installation method
    Gaia OS R75.47
    • Check Point Update Service Engine (CPUSE)
    • Manual installation
    R76
    • Manual installation only
    IPSO OS R70.X
    R71.X
    R75.X
    • Manual installation only
    R76


  • Other versions must be upgraded to one of the above versions (in order to get the most stable, secure and robust system).

 

Hotfix installation instructions

Note: Hotfix has to be installed on Security Gateway / each cluster member.

  • Show / Hide instructions for Gaia OS - R75.47 - using CPUSE

    • In Gaia Portal:

      1. Connect to the Gaia Portal on your Check Point machine and navigate to the 'Software Updates' pane - click on 'Status and Actions'.
      2. Select the hotfix package R75.47 Hotfix for sk94490 (OSPF LSA spoofing vulnerability) - click on 'Install Update' button on the toolbar.

      For detailed instructions see sk98926 - Install Check Point products using Check Point Upgrade Service Engine (CPUSE) - section "(III) Installation instructions for Hotfixes / Minor version / Major version".

    • In Clish:

      Note: Starting from build 627, Software Updates Agent is controlled by the DAClient command in Expert mode:
      [Expert@HostName]# DAClient <operation> [<data>]

      For more details, refer to sk92449 - CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "Usage for Gaia Software Updates Agent version 710 and above - Available Expert mode commands".

      Instructions:

      1. Log in to Clish shell.

      2. See the list of available packages for download:

        HostName> show installer available_packages

      3. Download the desired package:

        HostName> installer download PACKAGE_NUMBER

      4. Check the download progress by repeatedly running this command:

        HostName> show installer package_status

      5. See the list of available packages for install:

        HostName> show installer available_local_packages

      6. Install the desired package:

        HostName> installer install PACKAGE_NUMBER

      7. Check the installation progress by repeatedly running this command:

        HostName> show installer package_status

      8. Machine will be rebooted automatically.


  • Show / Hide instructions for Gaia OS - R75.47 - using CPUSE Offline package

    1. Download this CPUSE package for Offline installation (Check_Point_R75.47_OSPF_Hotfix_sk94490.tgz).

    2. Connect to the Gaia Portal.

    3. Obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out'):



    4. Navigate to the 'Software Updates' pane - click on 'Status and Actions'.

    5. On the toolbar, click on the 'More' button and select 'Import Package'.

      Example:



    6. In the 'Import Package' window, click on 'Browse...' - select the CPUSE Offline package (TGZ file) - click on 'Upload'.

      Note: If the following error is displayed, then incorrect package was uploaded (contact Check Point Support for assistance):

      Cannot import package.
      It is not a valid exported "Gaia Software Updates" package.

    7. Install the uploaded CPUSE Offline package.

      • Instructions for Gaia Portal:

        1. Before installing a software update, user can verify whether there are any warnings about this update and whether this update can be installed without conflicts.

          Select the imported CPUSE Offline package, click on the 'More' button on the toolbar and select 'Verifier':



        2. Select the imported CPUSE Offline package and click on 'Install Update' button on the toolbar.


      • Instructions for Clish:

        1. See the list of available CPUSE packages for install:

          HostName> show installer available_local_packages

        2. Install the uploaded CPUSE Offline package:

          HostName> installer install PACKAGE_NUMBER

        3. Check the installation progress by repeatedly running this command:

          HostName> show installer package_status

        4. Machine will be rebooted automatically.

    For more details, refer to sk98926 - Install Check Point products using Check Point Upgrade Service Engine (CPUSE).

  • Show / Hide instructions for Gaia OS - R75.47 - using CLI

    1. Hotfix has to be installed on Security Gateway / each cluster member.

    2. Download this hotfix package:

      Platform R75.47
      Gaia OS (TGZ)


    3. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).

    4. Unpack the hotfix package:

      [Expert@HostName]# cd /some_path_to_fix/
      [Expert@HostName]# tar -zxvf Check_Point_OSPF_R75.47_HOTFIX_003.tgz

    5. Install the hotfix:

      [Expert@HostName]# ./SecurePlatform_HOTFIX_NAME

      Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.

    6. Reboot the machine.


  • Show / Hide instructions for Gaia OS - freshly installed R76 (not upgraded to R76)

    1. Hotfix has to be installed on Security Gateway / each cluster member.

    2. Download this hotfix package:

      Platform R76
      Gaia OS (TGZ)


    3. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).

    4. Unpack the hotfix package:

      [Expert@HostName]# cd /some_path_to_fix/
      [Expert@HostName]# tar -zxvf Check_Point_OSPF_R76_HOTFIX_050.tgz

    5. Install the hotfix:

      [Expert@HostName]# ./SecurePlatform_HOTFIX_NAME

      Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.

    6. Reboot the machine.


  • Show / Hide instructions for Gaia OS - upgraded to R76

    1. Hotfix has to be installed on Security Gateway / each cluster member.

    2. Check whether other hotfixes for RouteD daemon were installed. Run the following command in Clish:

      HostName> show routed version

    3. If the RouteD version is not routed-0.1-cp989000090, then Contact Check Point Support to get a combined Hotfix for this issue (package that will include the current hotfixes and the hotfix for OSPF LSA spoofing vulnerability).

    4. If the RouteD version is routed-0.1-cp989000090 (native version), then install the hotfix - proceed to next step.

    5. Download this hotfix package:

      Platform R76
      Gaia OS (TGZ)


    6. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).

    7. Unpack the hotfix package:

      [Expert@HostName]# cd /some_path_to_fix/
      [Expert@HostName]# tar -zxvf Check_Point_OSPF_R76_HOTFIX_050.tgz

    8. Install the hotfix (note the "-NODEP" flag at the end):

      [Expert@HostName]# ./SecurePlatform_HOTFIX_NAME -NODEP

      Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.

    9. Reboot the machine.


  • Show / Hide instructions for IPSO OS - R70.X / R71.X / R75.X

    1. Hotfix has to be installed on Security Gateway / each cluster member.

    2. Download this hotfix package:

      Platform R70.X
      R71.X
      R75.X
      IPSO OS (ZIP)


    3. Unpack the ZIP archive (ipso-6_2-BUILD.zip).

    4. Extract the ipso-6.2.tgz file.

    5. Refer to Getting Started Guide and Release Notes for Check Point IPSO 6.2 - Chapter 8 'Upgrading to Check Point IPSO 6.2'


  • Show / Hide instructions for IPSO OS - R76

    1. Hotfix has to be installed on Security Gateway / each cluster member.

    2. Contact Check Point Support to get this hotfix package.

    3. Unpack the ZIP archive (ipso-6_2-BUILD.zip).

    4. Extract the ipso-6.2.tgz file.

    5. Refer to Getting Started Guide and Release Notes for Check Point IPSO 6.2 - Chapter 8 'Upgrading to Check Point IPSO 6.2'

Applies To:
  • 00264533 , 00264538 , 00264548 , 00264549 , 00264550 , 00264551 , 01208862 , 01215316 , 01226524 , 01230962 , 01245947 , 01256991 , 01262863 , 01294048 , 01294051 , 01351878 , 01365797 , 01378649 , 01403734
Give us Feedback
Rate this document
[1=Worst,5=Best]
Additional comments...(Max 2000 characters allowed)
Characters left: 2000