topic Re: Assistance Required: Coverage for 453 CVEs on Check Point Firewall in General Topics

Assistance Required: Coverage for 453 CVEs on Check Point Firewall

Chinmaya_Naik — Fri, 14 Jun 2024 07:17:30 GMT

Hi Community Team,

Check Point firewall for one of the customers, which is used for OT security to analyze traffic and protect the network. Recently, the VAPT (Vulnerability Assessment and Penetration Testing) team provided a list of 453 CVEs, requesting confirmation on whether the patches are available for these vulnerabilities.

Upon reviewing the Check Point SmartConsole GUI, I found that only 13 out of the 453 CVEs are explicitly listed. Our IPS, Anti-Bot, and Anti-Virus databases are up-to-date, as confirmed by our recent checks.

Given the importance of ensuring comprehensive protection for our customer's network, I need some assistance and clarification from the community:

Coverage of Remaining CVEs: Are the remaining 441 CVEs implicitly covered by generic protections, Anti-Bot, Anti-Virus, or other mechanisms within the Check Point firewall? If yes, how can I verify this coverage?
Mitigation Steps: If specific patches or protections are not available for some CVEs, what steps can we take to mitigate these vulnerabilities effectively?
Documentation and Details: Can anyone provide additional details or documentation on how these CVEs are addressed by Check Point?

I have verified that all threat prevention components (IPS, Anti-Bot, Anti-Virus) are up-to-date. Attached is the list of 453 CVEs for reference.(I Bold the line which is displayed in the smartconsole)

Any guidance or assistance from the community would be greatly appreciated, as this is critical to maintaining a secure environment for our customer.

Regards

@Chinmaya_Naik

Re: Assistance Required: Coverage for 453 CVEs on Check Point Firewall

PhoneBoy — Fri, 14 Jun 2024 22:38:06 GMT

IPS signatures are only relevant when the communication necessary to exploit it occurs over an IP network.
That would eliminate a few of these.

I expect we'll probably be able to mitigate these with a combination with the Optimized profile and possibly HTTPS Inspection.
The best way to confirm would be through empirical testing and/or by engaging with your local Check Point office.

Re: Assistance Required: Coverage for 453 CVEs on Check Point Firewall

Chinmaya_Naik — Tue, 18 Jun 2024 05:31:30 GMT

Hi @PhoneBoy Sir,

Thank you for your response regarding the relevance of IPS signatures for specific CVEs. To proceed further, we need clarification on the availability of the list of CVEs we provided in the Check Point database.

Our primary concern is to validate if the 400+ CVEs listed, which are published by the National Vulnerability Database (NVD), are covered by Check Point's IPS protections or if corresponding patches are available in the Check Point database.

We have noted your points on IPS signatures being relevant only for vulnerabilities that can be exploited over an IP network, and we understand that this might exclude some CVEs from requiring IPS protection. However, our goal is to ensure comprehensive protection by verifying the following:

Coverage in Check Point Database: Could you please confirm whether the 400+ CVEs we submitted are included in the Check Point IPS protections or if patches for these vulnerabilities are available in the Check Point database?
Detailed Information on Exclusions: For CVEs that are excluded from IPS protection due to the nature of their exploitation not involving IP network communication, could you provide a detailed list of these CVEs? This will help us understand which vulnerabilities we need to address separately.
Current Configurations: We are already using the optimized profile along with application and URL filtering. However, we have not implemented HTTPS inspection. Could you provide specific guidance on whether enabling HTTPS inspection is necessary for mitigating the CVEs in question?

Regards
@Chinmaya_Naik

Re: Assistance Required: Coverage for 453 CVEs on Check Point Firewall

PhoneBoy — Tue, 18 Jun 2024 15:09:29 GMT

Please consult with your local Check Point office for assistance in answering these questions.

In general, IPS will work better with HTTPS Inspection enabled.
However, if the customer environment doesn't use HTTPS at all, it's not relevant.
A related question: is the customer even using the applications specified in these CVEs?
If not, why is a protection a CVE for something not even in use relevant?

Re: Assistance Required: Coverage for 453 CVEs on Check Point Firewall

the_rock — Tue, 18 Jun 2024 16:09:53 GMT

Me, personally, if customer had a question like this, I would open TAC case to get an official response

Just my opinion.

Andy

Re: Assistance Required: Coverage for 453 CVEs on Check Point Firewall

Lesley — Tue, 18 Jun 2024 19:00:07 GMT

I have checked the CVE list and all of them are from 2023 or older. So I am wondering how relevant are they still. Some could be still relevant but it is not the nature of the IPS product. IPS protections are made to make a vulnerable system more secure. At some point you have to fix this security issue on the system itself and not forever count on the firewall to do this job. Either the vendor of product has to solve the issue or you have to move on with different product / version etc.

Second what I notice is that there are many 'Siemens' related CVE's, so this question should be asked and checked with Siemens. You have to let the vendor know what products you are using and what software and if this CVE is still relevant. Then you know you do not need the IPS protections at all. If the products you run are still supported and updated then most of the times all the old CVE's are already solved.

Also what PhoneBoy said, if you do not run HTTPS inspection (both ways! in and outbound) you have little chance to prevent or detect with IPS if it is encrypted.