topic Re: TLS Version 1.0 and 1.1 Protocol Detection Vulnerbility in Firewall and Security Management

TLS Version 1.0 and 1.1 Protocol Detection Vulnerbility

Prime — Fri, 01 May 2020 20:58:18 GMT

We not using Checkpoint remote VPN in current setup but still we want to fix the TLS related below mentioned vulnerability.

TLS Version 1.0 and 1.1 Protocol Detection Vulnerbility.

We have VSX deployment and running r80.10 gaia os.

Also what will be the impact if we disable 1.1 and enable 1.2.

Re: TLS Version 1.0 and 1.1 Protocol Detection Vulnerbility

Chris_Atkinson — Sat, 02 May 2020 07:21:51 GMT

I assume the context here is sk154532 what other blades are enabled in the environment?

Re: TLS Version 1.0 and 1.1 Protocol Detection Vulnerbility

Prime — Sun, 03 May 2020 16:02:27 GMT

Can you share me the sk154532 link?

Re: TLS Version 1.0 and 1.1 Protocol Detection Vulnerbility

Chris_Atkinson — Sun, 03 May 2020 23:02:28 GMT

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk154532&partition=Advanced&product=Security

Note access to some SK articles may depend on you support/partner/certification level.

Re: TLS Version 1.0 and 1.1 Protocol Detection Vulnerbility

Prime — Sun, 03 May 2020 23:44:50 GMT

Do I need to install policy after making the changes?

Re: TLS Version 1.0 and 1.1 Protocol Detection Vulnerbility

PhoneBoy — Mon, 04 May 2020 00:06:56 GMT

Yes

Re: TLS Version 1.0 and 1.1 Protocol Detection Vulnerbility

Prime — Mon, 04 May 2020 14:44:19 GMT

I have made changes today..waiting for the team to re-scan and check if we still get this vulnerability or not.

Re: TLS Version 1.0 and 1.1 Protocol Detection Vulnerbility

Prime — Wed, 06 May 2020 06:31:15 GMT

We have received report from VAPT team after rescanning the Checkpoint devices, still this Vulnerability is showing Open in the report.

Re: TLS Version 1.0 and 1.1 Protocol Detection Vulnerbility

PhoneBoy — Thu, 07 May 2020 05:03:17 GMT

Recommend working with the TAC on this.

Re: TLS Version 1.0 and 1.1 Protocol Detection Vulnerbility

Prime — Thu, 14 May 2020 08:37:25 GMT

TAC has shared below sk.

Kindly check sk132712, if this is relevant? (For Disabling TLS1.0 and TLS1.1)

Re: TLS Version 1.0 and 1.1 Protocol Detection Vulnerbility

Chris_Atkinson — Thu, 14 May 2020 10:47:25 GMT

Relevance probably depends on which ports the scan revealed the lower TLS versions for.

Re: TLS Version 1.0 and 1.1 Protocol Detection Vulnerbility

Prime — Thu, 14 May 2020 11:00:58 GMT

vapt report says for port 443

Re: TLS Version 1.0 and 1.1 Protocol Detection Vulnerbility

Prime — Sat, 30 May 2020 09:38:16 GMT

We followed the sk147272 on both the cluster member to mitigate TLS and sweet32 vulnerabilities and re-scaned the device now we don't see this in open.

Issue resolved