Hi John, ping me an email with the TAC SR details, I will ask, but what you have done is exactly the same as I was advised when I asked.  As our rack is being used for training, I can check, but only tomorrow, and I have 81.20 throughout.

Tom

Hi TK, it never went to TAC. We battled through and applied logic to the situation and thankfully came out on top. 

So to clarify, as soon as the second SGM1 (1original SMO) went down for reboot, services resumed normal function. Upon reboot, joining SGM2 again and taking back over SMO role at no point were there issues. 

Only whilst SGM1 and SGM2 had differing vpnd/cvpnd binaries operating.

Thanks
JT

OK, well, you are welcome to ping me an overview of what things were running, how the issue showed itself for you, and I will try to see if I can get nothing similar to happen. I can run breaking point traffic through for example if you tell me what sort of things you are expecting to be disrupted.

TK

Logically, thats what it sounds like. I would open TAC case to be sure.

Andy

just thinking about to use this commands.

On a R81.20 machine there is a sha512 in the /etc/shadow think this is the same as in the clish config.

cpopenssl passwd -6 instead of -1

can I also use sha512 on older plattforms ?

any documentation on that ?

I also see expert with only md5 but admin with sha512

You can change the password hashing algorithm via clish on gateways starting from R80.10 JHF 167:

https://support.checkpoint.com/results/sk/sk141452 

EDIT: Remove R80.40 reference since PhoneBoy confirmed R80.10+ more accurately.

You can change your default password hash type to SHA512 as well.

You can use Ansible to generate passwords and set new passwords on your hosts with the Check Point Gaia modules:

    - name: "Generate new password"
      set_fact:
        user_pwd_hash: "{{ lookup('password', inventory_hostname+'.passwd.clish.'+user_item.name+' length=18 chars=ascii_lowercase,ascii_uppercase,digits,=,-,_,+,,') |
                      password_hash(hashtype='sha512',
                                    salt=lookup('password', '/dev/null length=12 chars=ascii_lowercase,ascii_uppercase,digits'),
                                    rounds=(600000 |random(start=20000))) }}" 
      vars:
        user_item:
          name: foobar

    - debug:
        msg: "{{ user_pwd_hash }}"

    - name: Set passwords
      check_point.gaia.cp_gaia_user:
        name: "{{ user_item.name }}"
        password_hash: "{{ user_pwd_hash }}"
      no_log: true

This code generates a 12 character salt, randomly generates a SHA round value, generates a random 18-character length password and hashes it.  The resulting hash is in the variable "user_pwd_hash".  The REAL password is saved in a local file in the playbook directory, prepended with the name of the inventory host of the play, suffixed with ".passwd.clish." and trailing suffix of the username from the supplied dict.

The last task sets the Gaia user password.  If you connect with Gaia API using 'admin' user, then you cannot change the 'admin' user password.  You have to re-run your play as another Gaia API user in order to set 'admin' user password

The example provides a static "user_item" dict, but you should put this in a looped task list, provide the loop with a list of dicts.

The expert password is set with a different module:  check_point.gaia.cp_mgmt_expert_password   and provide it only the "password_hash" and value as above.

HTTPS connections (this is the information disclosure) and then followed with VPN logins from these IPs is the thing to look for, but the HTTPS connection and VPN login might not come from the same IP. Best is to look for VPN logins from any IP using local password and check if these are suspicious like explained in https://support.checkpoint.com/results/sk/sk182336.

Just noticed that the how to search for VPN logins is currently missing for the SK above. Should be back soon.

So if a customer has ONLY user + pw auth (local users OR ldap Users) I have no option to check that.

The SKs only talk about local users....but we should have the same issue if it is possible to have an pw-only auth with ldap users - right?

For local VPN users with LDAP password, the password cannot be disclosed. Basically, no.

But be aware that the LDAP AU user can theoretically be used as VPN user if the VPN Group defined include this user.

If we need to renew inbound HTTPSi certificates, I suppose it means they might have been exposed, which can be wildcards *.mycompany.com containing the full chain?

So it means an organisation needs to renew the entire public cert infrastructure.

You only need to make sure that this cert is revoked and put in the CRL.

That's what I thought, so much for the ease of use of wildcard public certs.

Indeed, if any file in the device could have been harvested, this would include the organization's ssl certificate used for the FW portal as well as the VPN certificate.

Can anyone confirm this?

If true, then we have to undertake a major certificate change on resources using those certificates.

I'd like to know more about this too BorisL. 

 @PhoneBoy @_Val_ Can someone confirm that this vulnerability if breached exposed the private keys of our certificates?  This would definitely be a major under taking if this vulnerability left our certificate private keys exposed.

Can this also be confirmed with Gaia OS passwords as well?

According to our research, upon a successful exploration, attackers can exfiltrate ANY file on the gateway. All secrets (in form of hashes) are exposed this includes AD, Radius, SecureID, BGP, etc.

It is recommended to replace all but the priority highlighted in the SK are the ones that are more easily exploited over the internet:

1. LDAP account unit access password
2. RAS VPN passwords for local accounts
3. HTTPS Inspection certificates for both inbound and outbound inspection
4. GAIA users passwords
5. Local users SSH cert
6. SSH Inspection certificate

Thank you for the info Val.  @_Val_ 

Since the one item that invovles a user/password in an object which is the LDAP account unit, what about other objects with passwords/keys such as RADIUS server objects?  Could those be affected as well?

As far as I can see, sk182336 does not mention RADIUS. However, if you need to double-check, you are welcome to ask TAC via a support ticket, to get a 100% official answer.

We make the recommendation to change RADIUS/TACACS+ Shared Secrets on SMB devices: https://support.checkpoint.com/results/sk/sk182357 
I expect the same should be done for regular gateways as well, but will confirm and get the recommendations added to sk182336 if so.

Before the patch got applied, if I see a HTTPS connection from a suspicious IP but the following search returns nothing (blade:"Mobile Access" AND action:"Log In" AND auth_method:Password). Is that a definitive we're good? 

Is there anything else I could check?

Seems you should be fine.

Please open a TAC case for this via https://help.checkpoint.com