topic Vulnerability Mitigation for TLS 1.0 and Weak Ciphers in Firewall and Security Management

Vulnerability Mitigation for TLS 1.0 and Weak Ciphers

LostBoY — Fri, 28 Jun 2019 14:49:36 GMT

Hello,

I need instructions to mitigate the following two vulnerabilities from our Gateways :

1) Enable Support for TLS 1.1 and TLS 1.2 , and disable TLS 1.0

2) Removal of Weak Ciphers

We are using a VSX Cluster environment with R80.10

Also, what could be the after effects after removing these vulnerabilities on the existing production environment.

Please suggest.

Thanks

Re: Vulnerability Mitigation for TLS 1.0 and Weak Ciphers

PhoneBoy — Fri, 28 Jun 2019 19:12:53 GMT

As there isn't one global "use TLSv1.2" and "disable weak ciphers" setting, we need some more context, namely on what ports these issues were found.
The main one the comes up (Gaia WEBUI) isn't relevant on VSX.

Re: Vulnerability Mitigation for TLS 1.0 and Weak Ciphers

LostBoY — Wed, 31 Jul 2019 10:12:53 GMT

thanks for the reply.. vulnerability has been reported on port 443 (TLS 1.0 Protocol Detection) ...discovered on 2 VSX Gateways which are in cluster

Re: Vulnerability Mitigation for TLS 1.0 and Weak Ciphers

PhoneBoy — Fri, 02 Aug 2019 14:15:39 GMT

What blades are active on this gateway?
Like I said, the main culprit (the Gaia WebUI) is not active on VSX.

Re: Vulnerability Mitigation for TLS 1.0 and Weak Ciphers

LostBoY — Tue, 10 Sep 2019 09:44:19 GMT

AntiBot, Antivirus, IPS

Re: Vulnerability Mitigation for TLS 1.0 and Weak Ciphers

G_W_Albrecht — Tue, 10 Sep 2019 10:54:49 GMT

Maybe also SSL Inspection ? Then see sk126613: Cipherconfiguration tool for R80.x Gateways.

Re: Vulnerability Mitigation for TLS 1.0 and Weak Ciphers

Parmod — Thu, 16 Jan 2020 17:08:24 GMT

how to remediate TLS vulnerability on checkpoint firewall Virtual interface

and sk126613: Cipherconfiguration tool for R80.x Gateways. is not clearing this requirement @

Re: Vulnerability Mitigation for TLS 1.0 and Weak Ciphers

sushilsharma — Wed, 12 Feb 2020 13:42:37 GMT

1) Enable Support for TLS 1.1 and TLS 1.2 , and disable TLS 1.0

Note: I am a novice user, so please check in test setup before applying to production.

Solution: In Smart console menu->Global properties->Advanced->Configure...

Go to portal properties, there it will show option to set max and min ssl version attributes.

There you may change ssl min. version from TLS1.0 to TLS1.1.

Re: Vulnerability Mitigation for TLS 1.0 and Weak Ciphers

fklim — Fri, 21 Aug 2020 21:01:15 GMT

awesome, thanks for sharing

Re: Vulnerability Mitigation for TLS 1.0 and Weak Ciphers

Prime — Thu, 22 Sep 2022 12:15:52 GMT

Follow -sk147272 , sk106031 to mitigate the above vulnerability.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk106031&partition=Advanced&product=Security

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk147272&partition=Advanced&product=Security