Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer
 Support Center > Search Results > SecureKnowledge Details
Support Center
 Print    Email
Check Point response to Sockstress TCP DoS attacks (CVE-2008-4609)

Solution ID: sk42723
Severity: High
Product: Security Gateway, Mobile Access / SSL VPN, IPSO, VSX, SecureAccess / Integrity, Edge, IPS-1, Security Management
Version: NGX R65, R70, NGX R60, NGX R61, NGX R62, NGX R62CM, NGX R66
Date Created: 06-Sep-2009
Last Modified: 24-Feb-2010
Rate this document
[1=Worst,5=Best]
Symptoms
  • On September 08, 2009 CERT-FI has published an advisory about an attack tool called Sockstress which exploits design flaws in the TCP protocol. A successful Sockstress attack may cause damage ranging from denying TCP connectivity to the target to an exhaustion of kernel memory that may lead to a system panic.
    The actual effect depends on the amount of RAM on the target machine and implementation details of the TCP/IP stack. Many TCP/IP implementations are vulnerable.

    References:


    Vulnerability exposure:
    • Not vulnerable products: IPS-1, UTM-1 Edge, IPSO-LX

    • Vulnerable products: VPN-1 Power/UTM, VPN-1 Pro/Express, Connectra, VPN-1 Power VSX

    • Any TCP service that is accessible from any IP on the Internet may be attacked.
Solution
This problem has been fixed. The fix is included in the following releases:
  • R70 HFA 20

  • VPN-1 Power/UTM NGX R65 HFA 60

Check Point recommends to always upgrade to a recent version, and to the most recent HFA (Hotfix Accumulator) of this version.

To get the latest HFA for your product, version, and operating system, go to http://www.checkpoint.com/techsupport/hfa.html.

If you choose not to install the above HFAs, Check Point released a comprehensive solution that mitigates the attack against any Check Point Security Gateways and protects resources behind the gateway.

HotFixes protecting Check Point gateways:
  • VPN-1 Power/UTM and VPN-1 Pro/Express: R70.1, R65 HFA_50, R62 HFA_01, R60 HF_A07

  • Connectra: R66.1, R62 HFA01, R62CM HFA01

  • VPN-1 Power VSX NGX R65


IPS protections from Sockstress for servers behind Check Point gateway:


To protect the Security Gateway, install the following hotfixes:



Customer of other versions should contact Check Point Technical Services to receive a HotFix. To contact Support either call one of the Worldwide Technical Assistance Centers at:

Americas: +1 (972) 444 6600 / +1 (888) 361 5030 / +1 (613) 271 7950 or International: +972-3-6115100 (see the full list of contact phone numbers), or submit a Service Request through http://www.checkpoint.com/sr.



HotFix Installation instructions:
  1. The security hotfix must be installed on top of the specified HFA only. Make sure you installed the required HFA before installing this security hotfix.

  2. Download the correct tgz archive.

  3. Extract by running the tar xzvf <tgz archive name> command from the Expert mode.

  4. Run the executable with name starting with fw1.

  5. Follow the instructions on screen.

  6. After the installation ends successfully - reboot the machine.


Configuration options:
  • Protection is enabled by default.

  • To disable protection add the line fw_tcp_durability_enable=0 to the $FWDIR/modules/fwkern.conf file and reboot the gateway.

  • To re-enable protection add the line fw_tcp_durability_enable=1 to the $FWDIR/modules/fwkern.conf file and reboot the gateway.

Note: create the $FWDIR/modules/fwkern.conf file if it does not exist.


Notes:
  • To uninstall an HFA from a Security Gateway that also has the Sockstress hotfix, you must first uninstall the Sockstress hotfix and only then uninstall the HFA.


  • Before uninstalling the HFA, remove the associated configuration parameters from $FWDIR/modules/fwkern.conf. Failing to remove these parameters will cause the Gateway not to start after a reboot.


  • If accept logs are configured, SmartView Tracker may continuously produce accept logs associated with the blocked source after a Sockstress block alert is issued. The associated traffic will be blocked by the Sockstress protection and the accept logs can be safely ignored.


FAQ

Q. Do I need to protect SmartCenter or Integrity Server from Sockstress?
A. If there are ports on these machines accessible by any client on the internet, customers should activate the IPS protection (on either the IPS-1 or Security gateway) to protect the server.


Q. Why is IPS-1 not vulnerable to Socktress?
A. IPS-1 is not vulnerable because its TCP port are accessible from internal interfaces only.


Q. Why is UTM-1 Edge not vulnerable to Socktress?
A. UTM-1 Edge is not vulnerable because it does not expose TCP ports via external interface.


Q. My gateway runs on Windows/Solaris should I install the vendor patch?
A. Yes. Customers are advised to install vendor patches in addition to the Check Point HotFix for their Security Gateway.


Q. What is the difference between protections provided by the IPS and the gateways?
A. IPS protection mitigates attack against servers behind the gateway. The gateway protection mitigates an attack against the gateway itself, i.e. TCP ports on the gateway and Security Servers.


Q. What should R70 customer do?
A. R70 customers should upgrade to R70.1 and install the current HotFix.

Applies To:
  • 00509491, 00509553, 00509578, 00509579, 00509597, 00509740, 00509622, 00509637, 00509663, 00509793
Give us Feedback
Rate this document
[1=Worst,5=Best]
Additional comments...(Max 2000 characters allowed)
Characters left: 2000