topic Re: CVE-2004-2761 with ICA in Firewall and Security Management

CVE-2004-2761 with ICA

GigaYang — Mon, 11 Mar 2024 10:11:12 GMT

Hi All,

Our R81 Gateway was found to have the vulnerability CVE-2004-2761 and needs to be replaced with a stronger SSL certificate.

However, looking at the details of the weak scan report, the problematic part seems to be related to the Internal CA (still using SHA-1), which means that the Internal CA may need to re-sign.

In addition to re-signing a certificate, is there any other way to solve the problem of ICA using SHA-1?

Thank you.

Re: CVE-2004-2761 with ICA

PhoneBoy — Wed, 13 Mar 2024 15:32:35 GMT

For background, see: https://support.checkpoint.com/results/sk/sk103840
You need to renew the ICA, which should change it to SHA-256: https://support.checkpoint.com/results/sk/sk43783

Re: CVE-2004-2761 with ICA

GigaYang — Thu, 14 Mar 2024 01:04:27 GMT

Hi Sir,

This vulnerability was discovered when Nessus scanned Gateway's TCP 443 Port, but when checking the GAiA Web Portal certificate through the browser, it was already using SHA-256.

Do you still need to regenerate ICA?

Thanks

Re: CVE-2004-2761 with ICA

PhoneBoy — Thu, 14 Mar 2024 15:28:16 GMT

While the Gaia portal might have a certificate with SHA-256 hash, that certificate is signed by a CA that uses a SHA-1 hash.
Therein lies the problem.
The only way to fix that is to regenerate the ICA.

Re: CVE-2004-2761 with ICA

GigaYang — Thu, 14 Mar 2024 18:56:19 GMT

Does sk147272 can solve this problem?

https://support.checkpoint.com/results/sk/sk147272

Re: CVE-2004-2761 with ICA

the_rock — Thu, 14 Mar 2024 19:08:15 GMT

Not sure it may fix the problem, but worth a try.

Andy

Re: CVE-2004-2761 with ICA

CaseyB — Thu, 14 Mar 2024 19:18:29 GMT

SSL cipher suites would be different than certificate hash algorithms.