This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chinmaya_Naik
Advisor
‎2024-06-14 12:16 AM

Assistance Required: Coverage for 453 CVEs on Check Point Firewall

Hi Community Team,

Check Point firewall for one of the customers, which is used for OT security to analyze traffic and protect the network. Recently, the VAPT (Vulnerability Assessment and Penetration Testing) team provided a list of 453 CVEs, requesting confirmation on whether the patches are available for these vulnerabilities.

Upon reviewing the Check Point SmartConsole GUI, I found that only 13 out of the 453 CVEs are explicitly listed. Our IPS, Anti-Bot, and Anti-Virus databases are up-to-date, as confirmed by our recent checks.

Given the importance of ensuring comprehensive protection for our customer's network, I need some assistance and clarification from the community:

  1. Coverage of Remaining CVEs: Are the remaining 441 CVEs implicitly covered by generic protections, Anti-Bot, Anti-Virus, or other mechanisms within the Check Point firewall? If yes, how can I verify this coverage?
  2. Mitigation Steps: If specific patches or protections are not available for some CVEs, what steps can we take to mitigate these vulnerabilities effectively?
  3. Documentation and Details: Can anyone provide additional details or documentation on how these CVEs are addressed by Check Point?

I have verified that all threat prevention components (IPS, Anti-Bot, Anti-Virus) are up-to-date. Attached is the list of 453 CVEs for reference.(I Bold the line which is displayed in the smartconsole)

Any guidance or assistance from the community would be greatly appreciated, as this is critical to maintaining a secure environment for our customer.

 

Regards

@Chinmaya_Naik 

 

Preview file
93 KB
0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2024-06-14 03:38 PM

IPS signatures are only relevant when the communication necessary to exploit it occurs over an IP network.
That would eliminate a few of these.

I expect we'll probably be able to mitigate these with a combination with the Optimized profile and possibly HTTPS Inspection.
The best way to confirm would be through empirical testing and/or by engaging with your local Check Point office.

0 Kudos
Chinmaya_Naik
Advisor
‎2024-06-17 10:31 PM
In response to PhoneBoy

Hi @PhoneBoy Sir, 

Thank you for your response regarding the relevance of IPS signatures for specific CVEs. To proceed further, we need clarification on the availability of the list of CVEs we provided in the Check Point database.

Our primary concern is to validate if the 400+ CVEs listed, which are published by the National Vulnerability Database (NVD), are covered by Check Point's IPS protections or if corresponding patches are available in the Check Point database.

We have noted your points on IPS signatures being relevant only for vulnerabilities that can be exploited over an IP network, and we understand that this might exclude some CVEs from requiring IPS protection. However, our goal is to ensure comprehensive protection by verifying the following:

  1. Coverage in Check Point Database: Could you please confirm whether the 400+ CVEs we submitted are included in the Check Point IPS protections or if patches for these vulnerabilities are available in the Check Point database?

  2. Detailed Information on Exclusions: For CVEs that are excluded from IPS protection due to the nature of their exploitation not involving IP network communication, could you provide a detailed list of these CVEs? This will help us understand which vulnerabilities we need to address separately.

  3. Current Configurations: We are already using the optimized profile along with application and URL filtering. However, we have not implemented HTTPS inspection. Could you provide specific guidance on whether enabling HTTPS inspection is necessary for mitigating the CVEs in question?

 

Regards
@Chinmaya_Naik 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-06-18 08:09 AM
In response to Chinmaya_Naik

Please consult with your local Check Point office for assistance in answering these questions.

In general, IPS will work better with HTTPS Inspection enabled.
However, if the customer environment doesn't use HTTPS at all, it's not relevant.
A related question: is the customer even using the applications specified in these CVEs?
If not, why is a protection a CVE for something not even in use relevant?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-06-18 09:09 AM
In response to Chinmaya_Naik

Me, personally, if customer had a question like this, I would open TAC case to get an official response

Just my opinion.

Andy

Best,
Andy
0 Kudos
Lesley
MVP Gold
MVP Gold
‎2024-06-18 12:00 PM
In response to Chinmaya_Naik

I have checked the CVE list and all of them are from 2023 or older. So I am wondering how relevant are they still. Some could be still relevant but it is not the nature of the IPS product. IPS protections are made to make a vulnerable system more secure. At some point you have to fix this security issue on the system itself and not forever count on the firewall to do this job. Either the vendor of product has to solve the issue or you have to move on with different product / version etc.

Second what I notice is that there are many 'Siemens' related CVE's, so this question should be asked and checked with Siemens. You have to let the vendor know what products you are using and what software and if this CVE is still relevant. Then you know you do not need the IPS protections at all. If the products you run are still supported and updated then most of the times all the old CVE's are already solved.

Also what PhoneBoy said, if you do not run HTTPS inspection (both ways! in and outbound) you have little chance to prevent or detect with IPS if it is encrypted.

-------
Please press "Accept as Solution" if my post solved it 🙂

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events