The R82 EA also ships with the same OpenSSH version as R81.20 (7.8p1).
Even where we shipped an older version of OpenSSH that was subject to CVE-2006-5051 (the original bug that regressed as CVE-2024-6387), we included the fix for this: https://support.checkpoint.com/results/sk/sk61744

Will have to double check Gaia Embedded.

That brings up an interesting question. Does Gaia Embedded use glibc or musl? The vulnerability only applies to OpenSSH versions 8.5p1 and up linked against glibc, and that's not especially common in embedded systems.

Offhand, I don't know if we use glibc or musl.
Prior to R80.20.60, we were using Dropbear, so this should not impact older SMB appliances.
As of R81.10.10, we use OpenSSH 8.5p1.

In any case, I've raised the issue with the SMB team and will report back.

Will wait for your next reply.

While i'm waitng I found some commands to poke around:

ldd -r -v /bin/ssh : shows gblic libraries
rpm -q --changelog $(rpm -qa | grep openssh) | grep CVE-2006-5051 : shows CVE-2006-5051 is still included in change logs

https://support.checkpoint.com/results/sk/sk65269

Hi, I see this new sk182459 CVE-2024-6387 - OpenSSH Library RCE, Sparc is not mentioned here yet. https://support.checkpoint.com/results/sk/sk182459

The SK is marked as internal now.
However, it largely says what's been discussed here.
A fix is planned for the relevant Quantum Spark appliances, though it is not quite as urgent since it requires some effort to exploit.
sshd is also not exposed to the Internet by default. 

Will this CVE be included in the sk65269?

Status of OpenSSH CVEs (checkpoint.com)

Yes that is a logical expectation I would say and has since been actioned.

Moreover regarding general mitigations, IPS protection "Multiple SSH Initial Connection Requests" appears to have been updated.

Also interested in hearing about R81.10 Take 130 and above. 

Maybe as @spottex mention I can check our installation specified in the SK65269 - https://support.checkpoint.com/results/sk/sk65269

My oldest firewall still currently running is R80.40 jumbo 139. My newest is R81.20 jumbo 65. Both have OpenSSH 7.8p1, so I'd say it's reasonable to assume all the versions between them do, too.

I've noted in R81 with JHFA44 this also has OpenSSH_7.8p1. 

Hi,

under "Administrator Access", https and ssh is defined as "access for administrators"

For my understanding: if the gateway can be accessed by "Internet" and is secured by "specified IP addresses", is the gateway still vulnerable, if the configured IP-addresses are trusted?

Screenshot of the configuration of administrator access

From the logs it doesn't seem so, because all accesses from other IPs than defined, are dropped with "WebUI/SSH access attempt from unallowed source".

Yes I understand, that updating is the better way, but I updated all customers Sparks just one week ago with the latest update. 😉

Thanks in advance
Christian

I've noted on the CP site R81.10.10 (build996002945) is the latest release however there is a new build which contains the fix "build 996002948", but under the same version release.
I've ping my suggest to CP ie. release this new 'fixed' version under  R81.10.11.

For reference new build can also be found:
https://support.checkpoint.com/results/sk/sk182459

Even though it still references version R81.10.10

This is the reason, why I doesn't show up, when looking for a Firmware Upgrade:

Screenshot of Firmware Upgrade Part

This is what I believe as well, hence I've reported my observations to Checkpoint.  If the version was R81.10.11 as an example this would be picked up when you do a 'Check now'.

Hi,

and it was removed yesterday.

Removed the firmware images to improve them.
The improved firmware images will be added soon.

We have installed this build 996002948 on about 80% of our 1550 Firewalls and have now stopped the rollout.

How should we proceed? Is this build unstable or critically flawed? Is a revert to build 996002945 recommended? Does the expected improved build need to be rolled out again?

Hi @Amir_Ayalon, I'm a bit confused if I need to do anything for this. Would you recommend I reach out to Support?
We're running R81.10 (Take 150) on 6000 appliance. I noticed the SK182459 doesn't list that appliance/platform # on the SK. OpenSSH seems to be on version 7.8p1.  I assume we're affected, but since my platform isn't on that SK, I'm don't want to risk trying the packages on that SK. 

Thank you!

This SK is only specific to Spark appliances, regular Quantum appliances are not impacted per sk65269.

Thank you!

We already upgraded all systems to the first released version mentioned in that SK182459 -> R81.10.10 996002948.
And now we have to do it again - that is not very customer friendly to say it frankly. Also the communication is not satisfying.
I know software development is not easy these days... 😥

FWIW, I believe the previous build had an issue with Reach My Device functionality (which is why it was replaced).