Support Center > Search Results > SecureKnowledge Details
Check Point response to "Check Point ClusterXL/CCP issue (DoS)"
Symptoms
  • Jakub Jozwiak has demonstrated that by forging CCP packets it is possible to "confuse" cluster members about the state of peer members and cause denial of service (cluster members could be forced to incorrectly change their state to "Ready").
Cause

This attack is possible if a malicious user gains Layer 2 access to cluster trusted (sync) interfaces (whose "Network Objective" in cluster object topology is "Sync").


Solution

Check Point does not consider this a valid attack vector.

Check Point Cluster Control protocol (CCP) packets are assumed to be sent over a trusted and isolated network. Customer may achieve this by using a dedicated physical network segment, or by using VLANs. It is the responsibility of the customer to ensure that this network is trusted and isolated.

Relevant documentation:

Credit: Check Point thanks Jakub Jozwiak for responsible disclosure of this issue.

 

Related solutions:

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment