https://community.checkpoint.com/t5/General-Topics/Various-Vulnerabilities-on-secure-platform-firewall/m-p/82761#M16732 <P>Hello guys , this is my first post here so i am hope i will have some help</P><P>i received some tasks to fix some vulnerabilities on one of our cluster&nbsp; fw, which is very old secure Platform R75.40... i know its old , end of support etc and there are plans to upgrade/renew it in near future.</P><P>&nbsp;</P><P>i was trying to find something in the google etc, but most articles are related to newer version like 77.30 and 80.x</P><P>i will list some of those issues so maybe someone give me a tips how to fix it in this old platform.</P><P>1: Disable SSLv3. Services that must support SSLv3 should enable the TLS Fallback SCSV mechanism until SSLv3 can be disabled. and it is related to SSLv3 Padding vuln.</P><P>i found some post <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk120846" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk120846</A></P><P>but again it is related to newer version so i wonder if there is something similar for my version and platform.</P><P>&nbsp;</P><P>2.SSL Medium Strength Cipher Suites Supported CVE-2016-2183&nbsp;</P><P>I would like to know how to safely fix that on this platform? and what cipher to use in this case?</P><P>&nbsp;</P><P>3. Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption. realated to: CVE-2008-5161</P><P>What ciphers i would need to add and where ssh_conf or sshd_conf&nbsp; (in sshd_conf there is no ciphers at all)</P><P>also there is need to restart ssh after that , is it risk i will lose connection to the box in case of some mistake?</P><P>&nbsp;</P><P>sorry for question which can looks trivial&nbsp; but i am new to checkpoint and&nbsp; especially to such old platform so i will be thankful for any help</P><P>and if i posted it in wrong location please move it or let me know to avoid it in the future.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 22 Apr 2020 11:28:15 GMT Jaro 2020-04-22T11:28:15Z https://community.checkpoint.com/t5/General-Topics/Various-Vulnerabilities-on-secure-platform-firewall/m-p/82761#M16732 <P>Hello guys , this is my first post here so i am hope i will have some help</P><P>i received some tasks to fix some vulnerabilities on one of our cluster&nbsp; fw, which is very old secure Platform R75.40... i know its old , end of support etc and there are plans to upgrade/renew it in near future.</P><P>&nbsp;</P><P>i was trying to find something in the google etc, but most articles are related to newer version like 77.30 and 80.x</P><P>i will list some of those issues so maybe someone give me a tips how to fix it in this old platform.</P><P>1: Disable SSLv3. Services that must support SSLv3 should enable the TLS Fallback SCSV mechanism until SSLv3 can be disabled. and it is related to SSLv3 Padding vuln.</P><P>i found some post <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk120846" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk120846</A></P><P>but again it is related to newer version so i wonder if there is something similar for my version and platform.</P><P>&nbsp;</P><P>2.SSL Medium Strength Cipher Suites Supported CVE-2016-2183&nbsp;</P><P>I would like to know how to safely fix that on this platform? and what cipher to use in this case?</P><P>&nbsp;</P><P>3. Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption. realated to: CVE-2008-5161</P><P>What ciphers i would need to add and where ssh_conf or sshd_conf&nbsp; (in sshd_conf there is no ciphers at all)</P><P>also there is need to restart ssh after that , is it risk i will lose connection to the box in case of some mistake?</P><P>&nbsp;</P><P>sorry for question which can looks trivial&nbsp; but i am new to checkpoint and&nbsp; especially to such old platform so i will be thankful for any help</P><P>and if i posted it in wrong location please move it or let me know to avoid it in the future.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 22 Apr 2020 11:28:15 GMT https://community.checkpoint.com/t5/General-Topics/Various-Vulnerabilities-on-secure-platform-firewall/m-p/82761#M16732 Jaro 2020-04-22T11:28:15Z https://community.checkpoint.com/t5/General-Topics/Various-Vulnerabilities-on-secure-platform-firewall/m-p/83078#M16799 The time that you spend "fixing" these vulnerabilities would be better spent upgrading to a supported release, given that R75.40 has been End of Support for 4 years now. <BR /><BR />In particular, R75.4x only supports TLS 1.0 and has a fairly old version of OpenSSH installed.<BR />It might require a hotfix to disable SSLv3, e.g. <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk102989" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk102989</A><BR />If this hotfix doesn't work as-is, you may be out-of-luck as R75.4x is end of support. <BR /><BR />I imagine you can follow whatever steps they suggest for OpenSSH, keeping in mind we use an older version.<BR />This requires a restart of the SSH daemon.<BR /><BR />But like I said, you're better off fixing this problem by upgrading to a supported release. Fri, 24 Apr 2020 15:17:17 GMT https://community.checkpoint.com/t5/General-Topics/Various-Vulnerabilities-on-secure-platform-firewall/m-p/83078#M16799 PhoneBoy 2020-04-24T15:17:17Z https://community.checkpoint.com/t5/General-Topics/Various-Vulnerabilities-on-secure-platform-firewall/m-p/83223#M16823 thank you very much for clarification Mon, 27 Apr 2020 05:43:00 GMT https://community.checkpoint.com/t5/General-Topics/Various-Vulnerabilities-on-secure-platform-firewall/m-p/83223#M16823 Jaro 2020-04-27T05:43:00Z