topic Re: SNX failing Driver validation in SASE and Remote Access

SNX failing Driver validation

NorthernNetGuy — Tue, 15 Oct 2024 18:02:17 GMT

I've found on my windows 10 22H2 clients that SNX is failing the windows driver validation checks (Secure boot + Driver Signature Enforcement).

checking the setupapi.dev.log file shows the following errors:

Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

Driver package failed signature verification. Error = 0xE0000247

Failed to import driver package into Driver Store. Error = 0xE0000247

When i Check out the SNX security catalog file, it shows that it is not valid, being signed by an old microsoft CA that expired in 2021.

I've attached screenshot of the certs and catalog.

TAC + R&D has indicated that the driver being signed by an expired CA is fine, and that this is likely an issue with a custom CRL on my clients, but I've never applied a custom CRL.

I'm wondering if anyone else has seen this isue on win10 22H2 and later versions of windows. The proposed workaround of disabling secure boot + validation checks will be rejected by the business.

Re: SNX failing Driver validation

PhoneBoy — Tue, 15 Oct 2024 19:23:32 GMT

What version of snx is installed?
What gateway version/JHF is relevant here?

Re: SNX failing Driver validation

NorthernNetGuy — Tue, 15 Oct 2024 19:34:28 GMT

R81.20, JHF 84

SNX version 7.01.0000

Mobile Access Portal Agent 800.007.049

Re: SNX failing Driver validation

PhoneBoy — Tue, 15 Oct 2024 20:42:08 GMT

The SNX version should be a build like 800008302, which you can get with snx -h on the CLI.
The latest appears to be 80008409, which should be applied with the latest R81.20 JHF.

Assuming you're on the most recent release, you're saying it is signed with an old certificate?
Can you send me the relevant SR in a PM?

Re: SNX failing Driver validation

NorthernNetGuy — Wed, 16 Oct 2024 12:30:43 GMT

the SNX I put above was the 'SLL Network Extender Service' version that gets installed alongside the Mobile Access Portal Agent (actual snx).

SNX build using 'snx -h' is showing 997000069.

https://sc1.checkpoint.com/documents/SSL_Network_Extender_AdminGuide/Content/Topics-SNX-Admin-Guide/SNX-Versions-and-Requirements.htm

this article confirms the latest version for my release is 80008409, and when I do "cat $CVPNDIR/htdocs/SNX/CSHELL/snx_ver.txt" it shows 800008409.

You can also see the old cert signature in the pictures I attached in my original post.

if the windows agent version # is supposed to match, then maybe when my clients are dowloading SNX they are getting an older version.

DM'ing you the SR as well

*edit*
according to https://support.checkpoint.com/results/sk/sk168353 the windows agent version is the latest.

Re: SNX failing Driver validation

MaksimBahunou — Thu, 17 Oct 2024 08:46:48 GMT

Hi @NorthernNetGuy

Could you please check SNX version that is installed on Windows?

It can be found in "c:\Program Files (x86)\CheckPoint\SSL Network Extender\ver.ini" file.

Re: SNX failing Driver validation

NorthernNetGuy — Thu, 17 Oct 2024 12:31:40 GMT

800008409

Can anyone confirm what certificate and root CA are signing the SSL extender for them? the security catalog and signer can be found at: C:\Program Files (x86)\CheckPoint\SSL Network Extender\netvna.cat

Click 'View Signature", then click 'View Certificate"

Re: SNX failing Driver validation

MaksimBahunou — Thu, 17 Oct 2024 13:01:41 GMT

Here are from my PC:

Re: SNX failing Driver validation

NorthernNetGuy — Thu, 17 Oct 2024 13:14:24 GMT

Do you have Secure Boot with driver signature enforcement enabled? Windows should reject SNX if you do based on that.

You can check if Secure boot is enabled in MSINFO under "Secure Boot State"
if off, then driver signature enforcement will also be off.

If Secure Boot State is On, then in an elevated command prompt, run 'bcdedit' and look for "nointegritychecks", if it shows "yes", then driver signature enforcement is off

Re: SNX failing Driver validation

MaksimBahunou — Thu, 17 Oct 2024 13:54:03 GMT

Secure Boot is definitely "on".

As for the "nointegritychecks". By default, I don't see its value. When I tried to alter it, I got "The value is protected by Secure Boot policy and cannot be modified or deleted." So, I disabled Secure Boot, explicitly set "nointegritychecks" to "off" and enabled Secure Boot back.

No issues with certificate.

Re: SNX failing Driver validation

NorthernNetGuy — Thu, 17 Oct 2024 13:57:51 GMT

The value won't show if off for nointetegritychecks, it is off by default for security. can you also confirm if you are on windows 10 22h2?

It should be normal for windows to reject a driver signature that comes from an expired CA I think, I don't know why my different windows test clients would be a rare exception in rejecting this instead of allowing it.

Re: SNX failing Driver validation

MaksimBahunou — Fri, 18 Oct 2024 05:56:41 GMT

I check on Win10 22H2 19045.4849

I noticed one interesting thing. The root certificate (Microsoft Root Certificate Authority) has validity period from 10 May 2001 till 10 May 2021.

While on your screenshot it is 9 May 2001 - 9 May 2021.

In my case certificate serial number is 79ad16a14aa0a5ad4c7358f407132e65. Please check with your one.