topic Re: Is Check Point Gaia vulnerable towards this new cve-2024-6387 in OpenSSH? in General Topics

Is Check Point Gaia vulnerable towards this new cve-2024-6387 in OpenSSH?

Kim_Moberg — Mon, 01 Jul 2024 12:15:30 GMT

Hi

Is Check Point Gaia vulnerable towards this new CVE-2024-6387 in OpenSSH?

Any plans to mitigate this CVE?

Reference

New OpenSSH Vulnerability Could Lead to RCE as Root on Linux Systems (thehackernews.com)

qualys.com/2024/07/01/cve-2024-6387/regresshion.txt?ref=upstract.com

Thanks

Re: Is Check Point Gaia vulnerable towards this new cve-2024-6387 in OpenSSH?

Bob_Zimmerman — Mon, 01 Jul 2024 13:34:49 GMT

R81.20 jumbo 65 ships with OpenSSH_7.8p1, which is before the regression was introduced in 8.5p1. I haven't checked an R82 system yet.

Re: Is Check Point Gaia vulnerable towards this new cve-2024-6387 in OpenSSH?

PhoneBoy — Mon, 01 Jul 2024 13:57:40 GMT

The R82 EA also ships with the same OpenSSH version as R81.20 (7.8p1).
Even where we shipped an older version of OpenSSH that was subject to CVE-2006-5051 (the original bug that regressed as CVE-2024-6387), we included the fix for this: https://support.checkpoint.com/results/sk/sk61744

Will have to double check Gaia Embedded.

Re: Is Check Point Gaia vulnerable towards this new cve-2024-6387 in OpenSSH?

Bob_Zimmerman — Mon, 01 Jul 2024 14:13:52 GMT

That brings up an interesting question. Does Gaia Embedded use glibc or musl? The vulnerability only applies to OpenSSH versions 8.5p1 and up linked against glibc, and that's not especially common in embedded systems.

Re: Is Check Point Gaia vulnerable towards this new cve-2024-6387 in OpenSSH?

PhoneBoy — Mon, 01 Jul 2024 19:30:56 GMT

Offhand, I don't know if we use glibc or musl.
Prior to R80.20.60, we were using Dropbear, so this should not impact older SMB appliances.
As of R81.10.10, we use OpenSSH 8.5p1.

In any case, I've raised the issue with the SMB team and will report back.

Re: Is Check Point Gaia vulnerable towards this new cve-2024-6387 in OpenSSH?

spottex — Mon, 01 Jul 2024 23:52:08 GMT

Will wait for your next reply.

While i'm waitng I found some commands to poke around:

ldd -r -v /bin/ssh : shows gblic libraries
rpm -q --changelog $(rpm -qa | grep openssh) | grep CVE-2006-5051 : shows CVE-2006-5051 is still included in change logs

https://support.checkpoint.com/results/sk/sk65269

Re: Is Check Point Gaia vulnerable towards this new cve-2024-6387 in OpenSSH?

Kim_Moberg — Tue, 02 Jul 2024 12:55:02 GMT

Also interested in hearing about R81.10 Take 130 and above.

Maybe as @spottex mention I can check our installation specified in the SK65269 - https://support.checkpoint.com/results/sk/sk65269

Re: Is Check Point Gaia vulnerable towards this new cve-2024-6387 in OpenSSH?

Bob_Zimmerman — Tue, 02 Jul 2024 13:07:04 GMT

My oldest firewall still currently running is R80.40 jumbo 139. My newest is R81.20 jumbo 65. Both have OpenSSH 7.8p1, so I'd say it's reasonable to assume all the versions between them do, too.

Re: Is Check Point Gaia vulnerable towards this new cve-2024-6387 in OpenSSH?

a574591 — Wed, 03 Jul 2024 07:08:02 GMT

Will this CVE be included in the sk65269?

Status of OpenSSH CVEs (checkpoint.com)

Re: Is Check Point Gaia vulnerable towards this new cve-2024-6387 in OpenSSH?

genisis__ — Wed, 03 Jul 2024 07:21:10 GMT

I've noted in R81 with JHFA44 this also has OpenSSH_7.8p1.

Re: Is Check Point Gaia vulnerable towards this new cve-2024-6387 in OpenSSH?

Chris_Atkinson — Wed, 03 Jul 2024 12:03:05 GMT

Yes that is a logical expectation I would say and has since been actioned.

Moreover regarding general mitigations, IPS protection "Multiple SSH Initial Connection Requests" appears to have been updated.

Re: Is Check Point Gaia vulnerable towards this new cve-2024-6387 in OpenSSH?

Johan_T — Wed, 03 Jul 2024 10:22:46 GMT

Hi, I see this new sk182459 CVE-2024-6387 - OpenSSH Library RCE, Sparc is not mentioned here yet. https://support.checkpoint.com/results/sk/sk182459

Re: Is Check Point Gaia vulnerable towards this new cve-2024-6387 in OpenSSH?

PhoneBoy — Wed, 03 Jul 2024 17:33:57 GMT

The SK is marked as internal now.
However, it largely says what's been discussed here.
A fix is planned for the relevant Quantum Spark appliances, though it is not quite as urgent since it requires some effort to exploit.
sshd is also not exposed to the Internet by default.

Re: Is Check Point Gaia vulnerable towards this new cve-2024-6387 in OpenSSH?

Amir_Ayalon — Sun, 14 Jul 2024 17:31:10 GMT

For Spark , R81.10.10 is released.

https://support.checkpoint.com/results/sk/sk182459

Re: Is Check Point Gaia vulnerable towards this new cve-2024-6387 in OpenSSH?

Greifenstein — Mon, 15 Jul 2024 09:13:16 GMT

Hi,

under "Administrator Access", https and ssh is defined as "access for administrators"

For my understanding: if the gateway can be accessed by "Internet" and is secured by "specified IP addresses", is the gateway still vulnerable, if the configured IP-addresses are trusted?

Screenshot of the configuration of administrator access

From the logs it doesn't seem so, because all accesses from other IPs than defined, are dropped with "WebUI/SSH access attempt from unallowed source".

Yes I understand, that updating is the better way, but I updated all customers Sparks just one week ago with the latest update. 😉

Thanks in advance
Christian

Re: Is Check Point Gaia vulnerable towards this new cve-2024-6387 in OpenSSH?

genisis__ — Mon, 15 Jul 2024 10:04:04 GMT

I've noted on the CP site R81.10.10 (build996002945) is the latest release however there is a new build which contains the fix "build 996002948", but under the same version release.
I've ping my suggest to CP ie. release this new 'fixed' version under R81.10.11.

For reference new build can also be found:
https://support.checkpoint.com/results/sk/sk182459

Even though it still references version R81.10.10

Re: Is Check Point Gaia vulnerable towards this new cve-2024-6387 in OpenSSH?

Greifenstein — Tue, 16 Jul 2024 06:22:18 GMT

This is the reason, why I doesn't show up, when looking for a Firmware Upgrade:

Screenshot of Firmware Upgrade Part

Re: Is Check Point Gaia vulnerable towards this new cve-2024-6387 in OpenSSH?

genisis__ — Tue, 16 Jul 2024 08:09:51 GMT

This is what I believe as well, hence I've reported my observations to Checkpoint. If the version was R81.10.11 as an example this would be picked up when you do a 'Check now'.

Re: Is Check Point Gaia vulnerable towards this new cve-2024-6387 in OpenSSH?

Juergen_Blumens — Thu, 18 Jul 2024 07:37:56 GMT

Hi,

and it was removed yesterday.

Removed the firmware images to improve them.
The improved firmware images will be added soon.

We have installed this build 996002948 on about 80% of our 1550 Firewalls and have now stopped the rollout.

How should we proceed? Is this build unstable or critically flawed? Is a revert to build 996002945 recommended? Does the expected improved build need to be rolled out again?

Re: Is Check Point Gaia vulnerable towards this new cve-2024-6387 in OpenSSH?

r1der — Mon, 22 Jul 2024 23:41:05 GMT

Hi @Amir_Ayalon, I'm a bit confused if I need to do anything for this. Would you recommend I reach out to Support?
We're running R81.10 (Take 150) on 6000 appliance. I noticed the SK182459 doesn't list that appliance/platform # on the SK. OpenSSH seems to be on version 7.8p1. I assume we're affected, but since my platform isn't on that SK, I'm don't want to risk trying the packages on that SK.

Thank you!