This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
S_E_
Advisor
‎2025-10-08 04:21 AM
Jump to solution

CVE-2025-32728 - permanent solution?

Hi,

just stumbled over this statement in https://support.checkpoint.com/results/sk/sk183394  :

Installation of any Jumbo Hotfix Accumulator Take or upgrade to a higher version will restore the default Gaia OS configuration (will implicitly enable the parameter "AllowAgentForwarding" again).

Therefore, you must perform this procedure again.

 

 

Since this a requires a lot of effort if you have a huge CP install base.

Will this somehow make it into a clish config parameter and survives upgrades?

Thanks

Regards

 

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2025-10-08 09:44 AM
In response to PhoneBoy
Jump to solution

Looks like we plan to release a fix integrated into the jumbo for this: PMTR-117744
It isn’t in the jumbo hotfix yet.

View solution in original post

6 Replies
the_rock
MVP Platinum
MVP Platinum
‎2025-10-08 04:55 AM
Jump to solution

Excellent point there @S_E_ 

I just checked my cluster and single gw lab and all of them show below. Cluster is R81.20 and cp-gw is R82 (all latest jumbo)

Andy

[Expert@CP-GW:0]# sshd -T -C addr=localhost | grep -i "AllowAgentForwarding"
allowagentforwarding yes
[Expert@CP-GW:0]#

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2025-10-08 06:20 AM
Jump to solution

While providing clish for said parameter is an RFE, I’m curious why we don’t fix the default sshd_config here, which seems simple enough.
Let me ask. 

0 Kudos
PhoneBoy
Admin
Admin
‎2025-10-08 09:44 AM
In response to PhoneBoy
Jump to solution

Looks like we plan to release a fix integrated into the jumbo for this: PMTR-117744
It isn’t in the jumbo hotfix yet.

Bob_Zimmerman
MVP Gold
MVP Gold
‎2025-10-08 10:14 AM
In response to PhoneBoy
Jump to solution

Yep. My company's vulnerability management team has been flagging this issue and wasting a lot of time having us "fix" it one cluster at a time only for it to be undone in our next round of jumbos. We pushed for CFG to put it in a jumbo directly.

I still can't believe how much time we wasted on CVE-2023-48795 ("Terrapin"), which isn't even a vulnerability in the first place.

the_rock
MVP Platinum
MVP Platinum
‎2025-10-08 10:20 AM
In response to PhoneBoy
Jump to solution

Good news!

Best,
Andy
S_E_
Advisor
‎2025-10-08 10:40 PM
In response to PhoneBoy
Jump to solution

Sounds good. Thanks. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events