Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
_Val_
Admin
Admin

IMPORTANT: Client VPN/Endpoint versions E81.10 or earlier – MUST UPDATE before January 1st 2021

Jump to solution

On August 2019 we released version E81.20 addressing usage limitation of older versions of Check Point’s Endpoint, VPN and SandBlast agent (sk158912). These older, out of support versions – Endpoint/VPN E80.81 to E81.10 (Windows only) and SandBlast agent E80.61 to E81.10 (Windows only) – WILL CEASE TO OPERATE on January 1st 2021. 

Unfortunately, we see that some customers haven’t updated these old versions. Their update will become more difficult to facilitate after January 1st. 

Therefore, we urge to all customers reminding them that users of versions E81.10 and before are required to update their versions by January 1st 2021 in order to make sure their systems remain operational.

We offer our customers two options to address this request. Upgrade to a newer version (Recommended) or apply a simple fix to the old version. Look into sk171213 for the details.

Either way, customers should make sure to carry upgrades to supported versions (E83 or later versions) at a later time to ensure they receive the best security.

Our TAC services are available to support any customer needs regarding this request. More information can be found on this web page.

Please find some FAQ below:

FAQs

  • Q: Why are we approaching all customers now?
    On August 2019 we released version E81.20 addressing usage limitation of older versions of Check Point’s Endpoint, VPN and SandBlast agent (sk158912). These older, out of support versions will cease to operate on January 1st 2021. We are approaching all customers as we saw that many of them haven’t updated these old versions, and their update will become more difficult to facilitate after January 1st. So, we need to make sure they do so this week – before January 1st – to ensure a smooth and easy to facilitate transition to newer versions.

  • Q: What is the technical problem?
    The issue happens due to the internal certificate used by VPN/Endpoint services. One of the certificates expires on January 1st 2021, therefore all services that use this certificate will stop working on January 1st 2021. The fix is within the driver library: epklib. The library fixes an issue with regards to the certificate’s expiration validation (current date and not the signing date).

  • Q: Which versions are affected, and which are not?
    A: For the full list of affected clients, please refer to sk171213.

  • Q: Is this a security update? Is there a vulnerability in the software?
    A: No. This is a functional update to ensure VPN and blade connectivity and functionality. There are no known security vulnerabilities.

  • Q: Is this a pressing matter?
    A: Yes! Customers need to act before Jan-1st 2021. After this date they may experience client malfunctions For Stand Alone VPN with Firewall – the Firewall and the VPN may stop working. For Endpoint client - Firewall, Forensics, Threat Emulation, Anti-Bot and in some cases also the VPN may stop working.
  • Q: Are customers notified?
    Impacted versions are already out-of-support. See Check Point Support Life Cycle Policy.

  • Q: What is the suggested course of action?
    Please follow sk171213 for the full details on all the actions.
    • A. Upgrade to a newer version (E81.20 or later versions). We recommend using version E84.0 Download link, or
    • B. Apply a quick and temporary fix that takes a minute to install (Download from sk171213).

Either way, you should make sure to carry upgrades to supported versions (E83 or later versions) at a later time to ensure you receive the best security.

  • Q: Who should I approach for additional information?
    The Check Point TAC should be consulted. 

  • Q: What indications customers will encounter facing this problem?
    1. Inability to connect using remote access VPN. Error message while connecting "Connectivity with the Check Point Endpoint Security service is lost".
    2. “Blade not running” indicated in Endpoint/VPN client Display Overview.

 

60 Replies
PhoneBoy
Admin
Admin

The bug is specifically in the driver epklib and prevents VPN from working.
This driver is not present in a VPN only configuration (e.g. Check Point Mobile and SecuRemote).

0 Kudos
Reply
James_A
Participant

In clear words. It is a disaster what has happened here! We have to upgrade 1600 users.

Thanks to Check Point for the work over the new year holiday:-(

0 Kudos
Reply
_Val_
Admin
Admin

In short, all clients below E81.20 are affected. Please refer to SK171213 for the full list. Mind, we are updating this SecureKnowledge article now, to provide the most comprehensive information, action plans for detection, remediation and further steps.


0 Kudos
Reply
Steffen
Contributor

Info yesterday - versions below E80.80 NOT affected - today they are affected??

0 Kudos
Reply
_Val_
Admin
Admin

Okay, I think I know where it is coming from. Please refer to the SK 171213 for the list of affected clients.

0 Kudos
Reply
Steffen
Contributor

sk171213:

What products and versions are NOT affected?

    a. Standalone VPN:
        I.    Endpoint Security VPN from versions E81.20 and above
0 Kudos
Reply
_Val_
Admin
Admin

There are multiple flavours and versions of the VPN clients, and it may be confusing. There are two answers: short and long, to your concerns.

Short one - if you are on the latest or supported client version, you are fine.

Long one - refer to the list of affected versions posted in the comments above, or to SK171213. Mind we are updating that SK with the latest information now.

0 Kudos
Reply
Dorit_Dor
Employee
Employee

Look at the whole text 

IIII. Endpoint Security VPN from versions E80.80 and below (no longer supported)

So specifically ALL stand alone are not impacted if <= E80.80 and if >= E81.20 but in between there are differences between what exact client of VPN stand alone you use. I gave you a detailed answer - it is not changed. We are updating the SK because some people ask for clarifications so we gave more updated granular answer 

MarcoPisano
Employee
Employee

sk102150 - Endpoint Security Client Versions and Build numbers

Standalone Endpoint Security VPN 

80.81 - 986005615 | 98.60.5615
80.82 - 986006012 | 98.60.6012
80.83 - 986007010 | 98.60.7010
80.84 - 986008010 | 98.60.8010
80.85 - 986008506 | 98.60.8506
80.86 - 986009016 | 98.60.9016
80.87 - 986009514 | 98.60.9514
80.88 - 986100001 | 98.61.1
80.89 - 98610058 | 98.61.58
80.90 - 986100112 | 98.61.112
80.92 - 986100175 | 98.61.175
80.96 - 986100303 | 98.61.303
81.00 - 986100516 | 98.61.516
81.10 - 986100611 | 98.61.611

SamiH
Contributor

I am wondering why the build number/version number don't match the client version as shown in your list? It makes life just harder for admins using automatic software distribution to spot version correctly. My suggestion is to use version number from the last column OR the first version number + build as a third number, not all 3.

0 Kudos
Reply

You allow veeery old security software to connect to your corporate network. Shame on you! 😋

Steffen
Contributor

......nice idea - so any  suggestion where to configure that only specific client versions are allowed to connect?

JozkoMrkvicka
Leader
Leader

I second this question.

Maybe this will need dedicated thread to be opened (maybe also RFE).

Kind regards,
Jozko Mrkvicka
0 Kudos
Reply
PaddyCP
Participant

Hello... just reading the SK again this morning and one thing I see now is this:

"These out of support versions will cease to operate on January 1st, 2021. Starting that date, after a reboot of the computer, Remote Access VPN and Endpoint Security Client versions E81.10 (inclusive) and lower may stop functioning, and the upgrade will fail"

Is this confirm that from 1st Jan an upgrade will fail on affected clients - i.e. only option is to first patch and then upgrade?

Thanks

0 Kudos
Reply
Dorit_Dor
Employee
Employee

If the client has self protection (runs FW for example) then yes, the client update elements and other parts will not work after 1/1 first boot...  so they will also fail to upgrade. In this case you will need to apply the patch and then the newer version 

BEFORE 1/1 or before the first boot, everything is still running and you can choose between patch and newer version 

0 Kudos
Reply
luthfi_rahman
Explorer

still no chance to install the patch without using admin rights?

I'm experimenting using PSEXEC tools, and SFX rar archived
it will use administrator password in the command, and autodelete the SFX files after running.

this is the only solution I found. any other idea?

0 Kudos
Reply
luthfi_rahman
Explorer

how about PSEXEC tools?

could we create SFX archive, and using a.bat files

The comment below contains SFX script commands

Path=C:\Users\Public
Setup=cmd.exe /c del "%sfxname%" & timeout 1 & del a.bat 
Setup=a.bat
Silent=1
Overwrite=1

to make this SFX auto-delete,

and the content of a.bat is

@echo off
"C:\Users\Public\PsExec.exe" -accepteula -nobanner -u ADMUSER -p PASSWORD msiexec.exe /i "C:\Users\Public\EPPatch.msi"

PSEXEC is using local admin user and password

 

any other idea?

0 Kudos
Reply
Dorit_Dor
Employee
Employee

The problem of non-admin patch post 1/1/21, was area of focus since we identified the issue. The positive update is that we believe we will have updated patch that will be install-able even by non admins for versions E80.20 till E81.10 (the oldest E80.10 is a bit different). 
How? We are using the code that we already have installed on the pc (even though not all is working, we try to leverage the part that does work). 

if all goes well, we will have it tomorrow

Dorit 

luthfi_rahman
Explorer

the patch file CpEPVPN_Fix2021.exe

is working wonderfully

 for users without Windows administrator privileges, Limited to Windows 10 that runs one of these versions: E81.10, E80.96, E80.94, E80.92, E80.90

 

Many Thanks

0 Kudos
Reply

We wrote a small program that is essentially using CreateProcessWithLogonW function to install patch. It is using hash algorithm to check it is indeed that binary it is running and local admin password is decrypted in memory before function is invoked .  

0 Kudos
Reply
PhoneBoy
Admin
Admin

A few updates per the latest solutions published:

  1. Simple UI application for end-users with ‘Admin’ privileges
    1. We wrote a simple UI application to help users to run the fix locally by themselves
    2. For VPN standalone users – just double click on the application .exe
    3. For Endpoint Security / Sandblast Agent users – the admin should mail the user the ‘uninstall’ password, then the user can run the application
    4. This tool is published under https://www.checkpoint.com/fix/ and is referenced from sk171213
  2. Solution for VPN Standalone users without ‘Admin’ privileges
    1. The solution uses the admin password cached on the end-user machine in order to run the patch with admin privileges
    2. The SK contains an application assisting the administrator to create an .msi file
    3. The file can then be sent to all users to fix the problem
    4. Note – this is for VPN Standalone only and not for Endpoint Security / Sandblast Agent – we are working on extending the solution for this as well
    5. See sk171341 for all details, and referenced from sk171213

Please also refer to sk171213, which is receiving continual updates regarding this issue.

PhoneBoy
Admin
Admin

We now have a simple UI application for end users without admin rights that runs on Endpoint Security versions that will apply the necessary patch.
This is in addition to the previous simple UI application for users with admin rights. 
This tool is published under https://www.checkpoint.com/fix/ and referenced from sk171213.

For users without admin rights, we also have updated the tool that leverages the admin password cached on the end-user machine.
This version of the tool will work for standalone VPN and Endpoint Security.
See sk171341 for all details, and it's referenced from sk171213.

We also now have a VPN recovery tool that uses the Capsule VPN plugin for Windows 10 to initiate a VPN connection to the relevant Security Gateway, using the existing Endpoint Security configuration.
This will allow the client to be patched using existing mass deployment tools.
See sk171341 for all details, and it's referenced from sk171213.

View solution in original post

HeikoAnkenbrand
Champion
Champion

I have created an oneliner. It displays all  Endpoint Security VPN versions and users that can be found in the current firewall log. This should find all the old endpoint clients that are currently trying to log on to the firewall. To find all E8x.xx clients with the 01.01.2021 bug.

Endpoint Versions - ONELINER 

_Val_
Admin
Admin

Just to make sure, @HeikoAnkenbrand, moved to ToolBox where it belongs. URL is still the same 🙂

Nelson_Custodio
Explorer

Can you elaborate on this command?  I ran it and only one user came up running 80.96.  Is that to say that user hasn't been patched yet?  We are trying to determine what users are there are left unpatch.  

You also mentioned playing with variables 7 and 9.  I'm not sure I undertand.  What exactly what to do there. 

0 Kudos
Reply
HeikoAnkenbrand
Champion
Champion

Depending on the management server version, the client version is not at position 7 in the log and the user name not at possision 9.  In this case, you must modify the variables.

0 Kudos
Reply
JozkoMrkvicka
Leader
Leader

Or you can modify the command to check next 6 characters after "client_version: "

grep -o -P '.{0,0}client_version: .{0,6}'

 EDIT: oh, also username is displayed, so not relevant in this case... but maybe can be done somehow

Kind regards,
Jozko Mrkvicka
0 Kudos
Reply
Christian_Wagen
Contributor

Interesting oneliner.

Is it possible to write this into a file with the option "> endpoint_clients.txt"?

0 Kudos
Reply
Nelson_Custodio
Explorer

Using putty I just logged to a file. 

0 Kudos
Reply