Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kim_Moberg
Advisor
Jump to solution

Is Check Point Gaia vulnerable towards this new cve-2024-6387 in OpenSSH?

Hi

Is Check Point Gaia vulnerable towards this new CVE-2024-6387 in OpenSSH?

Any plans to mitigate this CVE?

Reference

New OpenSSH Vulnerability Could Lead to RCE as Root on Linux Systems (thehackernews.com)

qualys.com/2024/07/01/cve-2024-6387/regresshion.txt?ref=upstract.com

Thanks

 

Best Regards
Kim
(1)
1 Solution

Accepted Solutions
Amir_Ayalon
Employee
Employee
23 Replies
Bob_Zimmerman
Authority
Authority

R81.20 jumbo 65 ships with OpenSSH_7.8p1, which is before the regression was introduced in 8.5p1. I haven't checked an R82 system yet.

0 Kudos
PhoneBoy
Admin
Admin

The R82 EA also ships with the same OpenSSH version as R81.20 (7.8p1).
Even where we shipped an older version of OpenSSH that was subject to CVE-2006-5051 (the original bug that regressed as CVE-2024-6387), we included the fix for this: https://support.checkpoint.com/results/sk/sk61744

Will have to double check Gaia Embedded.

Bob_Zimmerman
Authority
Authority

That brings up an interesting question. Does Gaia Embedded use glibc or musl? The vulnerability only applies to OpenSSH versions 8.5p1 and up linked against glibc, and that's not especially common in embedded systems.

0 Kudos
PhoneBoy
Admin
Admin

Offhand, I don't know if we use glibc or musl.
Prior to R80.20.60, we were using Dropbear, so this should not impact older SMB appliances.
As of R81.10.10, we use OpenSSH 8.5p1.

In any case, I've raised the issue with the SMB team and will report back.

spottex
Collaborator

Will wait for your next reply.

While i'm waitng I found some commands to poke around:

ldd -r -v /bin/ssh : shows gblic libraries
rpm -q --changelog $(rpm -qa | grep openssh) | grep CVE-2006-5051 : shows CVE-2006-5051 is still included in change logs

https://support.checkpoint.com/results/sk/sk65269

Johan_T
Explorer

Hi, I see this new sk182459 CVE-2024-6387 - OpenSSH Library RCE, Sparc is not mentioned here yet. https://support.checkpoint.com/results/sk/sk182459

 

0 Kudos
PhoneBoy
Admin
Admin

The SK is marked as internal now.
However, it largely says what's been discussed here.
A fix is planned for the relevant Quantum Spark appliances, though it is not quite as urgent since it requires some effort to exploit.
sshd is also not exposed to the Internet by default. 


0 Kudos
a574591
Participant

Will this CVE be included in the sk65269?

Status of OpenSSH CVEs (checkpoint.com)

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Yes that is a logical expectation I would say and has since been actioned.

Moreover regarding general mitigations, IPS protection "Multiple SSH Initial Connection Requests" appears to have been updated.

 

CCSM R77/R80/ELITE
0 Kudos
Kim_Moberg
Advisor

Also interested in hearing about R81.10 Take 130 and above. 

Maybe as @spottex mention I can check our installation specified in the SK65269 - https://support.checkpoint.com/results/sk/sk65269

Best Regards
Kim
0 Kudos
Bob_Zimmerman
Authority
Authority

My oldest firewall still currently running is R80.40 jumbo 139. My newest is R81.20 jumbo 65. Both have OpenSSH 7.8p1, so I'd say it's reasonable to assume all the versions between them do, too.

0 Kudos
genisis__
Leader Leader
Leader

I've noted in R81 with JHFA44 this also has OpenSSH_7.8p1. 

0 Kudos
Amir_Ayalon
Employee
Employee

For Spark , R81.10.10 is released.

https://support.checkpoint.com/results/sk/sk182459

Greifenstein
Participant

Hi,

under "Administrator Access", https and ssh is defined as "access for administrators"

For my understanding: if the gateway can be accessed by "Internet" and is secured by "specified IP addresses", is the gateway still vulnerable, if the configured IP-addresses are trusted?

 
 

Screenshot of the configuration of administrator accessScreenshot of the configuration of administrator access

From the logs it doesn't seem so, because all accesses from other IPs than defined, are dropped with "WebUI/SSH access attempt from unallowed source".

Yes I understand, that updating is the better way, but I updated all customers Sparks just one week ago with the latest update. 😉

Thanks in advance
Christian

0 Kudos
genisis__
Leader Leader
Leader

I've noted on the CP site R81.10.10 (build996002945) is the latest release however there is a new build which contains the fix "build 996002948", but under the same version release.
I've ping my suggest to CP ie. release this new 'fixed' version under  R81.10.11.

For reference new build can also be found:
https://support.checkpoint.com/results/sk/sk182459

Even though it still references version R81.10.10

0 Kudos
Greifenstein
Participant

This is the reason, why I doesn't show up, when looking for a Firmware Upgrade:

 

Screenshot of Firmware Upgrade PartScreenshot of Firmware Upgrade Part

0 Kudos
genisis__
Leader Leader
Leader

This is what I believe as well, hence I've reported my observations to Checkpoint.  If the version was R81.10.11 as an example this would be picked up when you do a 'Check now'.

Juergen_Blumens
Explorer

Hi,

and it was removed yesterday.

Removed the firmware images to improve them.
The improved firmware images will be added soon.

We have installed this build 996002948 on about 80% of our 1550 Firewalls and have now stopped the rollout.

How should we proceed? Is this build unstable or critically flawed? Is a revert to build 996002945 recommended? Does the expected improved build need to be rolled out again?

0 Kudos
(1)
r1der
Advisor

Hi @Amir_Ayalon, I'm a bit confused if I need to do anything for this. Would you recommend I reach out to Support?
We're running R81.10 (Take 150) on 6000 appliance. I noticed the SK182459 doesn't list that appliance/platform # on the SK. OpenSSH seems to be on version 7.8p1.  I assume we're affected, but since my platform isn't on that SK, I'm don't want to risk trying the packages on that SK. 

Thank you!

0 Kudos
Chris_Atkinson
Employee Employee
Employee

This SK is only specific to Spark appliances, regular Quantum appliances are not impacted per sk65269.

CCSM R77/R80/ELITE
r1der
Advisor

Thank you!

0 Kudos
D_W
Advisor

We already upgraded all systems to the first released version mentioned in that SK182459 -> R81.10.10 996002948.
And now we have to do it again - that is not very customer friendly to say it frankly. Also the communication is not satisfying.
I know software development is not easy these days... 😥

image.png

0 Kudos
PhoneBoy
Admin
Admin

FWIW, I believe the previous build had an issue with Reach My Device functionality (which is why it was replaced).

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events