This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have one, create one now for free!
Maik
Advisor
‎2019-06-18 02:07 AM

TCP SACK PANIC - Kernel vulnerabilities | Check Point affected?

Jump to solution

Hello,

 

Just wanted to ask for a statement from Check Point regarding CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479. As redhat posted a statement and mentioned several releases are affected my guess is, that Check Point with GAiA is affected too (as based on RH Linux...).

Details can be read below:

https://access.redhat.com/security/vulnerabilities/tcpsack

 

Regards,

Maik

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2019-06-18 09:55 AM

Jump to solution
Our SK on the matter: https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&so...
TL;DR: Yes, we're vulnerable, but you can disable TCP SACK as a workaround until a patch is developed.

As for an IPS signature, there is an existing one related to TCP SACK for Windows, which I'm not sure applies here.
I'll double-check and update.

View solution in original post

31 Replies
G_W_Albrecht
Legend
Legend
‎2019-06-18 05:47 AM

Jump to solution

That is easy: If you read the script, you find the kernel versions that are affected. If you comment put the RHEL 5-8 only lines, you get:

 

Check Point Security Gateway R80.30

Kernel 2.6.18-92cpx86_64

Edition 64-bit

Build 200

---

This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported

Red Hat Enterprise Linux systems and kernel packages.

Result may be inaccurate for other RPM based systems.

Running kernel: 2.6.18-92cpx86_64

This system is Not affected

---

Check Point Security Management R80.30

Kernel 3.10.0-693cpx86_64

Edition 64-bit

Build 200

---

This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported

Red Hat Enterprise Linux systems and kernel packages.

Result may be inaccurate for other RPM based systems.

 

Running kernel: 3.10.0-693cpx86_64

This system is Not affected

CCSE CCTE SMB Specialist
Axel_Engeland
Participant
‎2019-06-18 07:08 AM
In response to G_W_Albrecht

Jump to solution

That's not how the script works. The script has a list of vulnerable RHEL kernels and checks uname -r versus this list.

Obviously only original RHEL kernels are included in the list, so you'll always get "not vulnerable" from that script for systems that have change the release string. That's the reason the script checks for el[5-8] before running - it's only valid for RHEL and maybe CentOS.

There are kernel releases in the list that are similar to the current gateway release kernel (2.6.18-92) as well as the current management kernel (3.10.0-693).

user@linux:~> grep 2.6.18-92 cve-2019-11477--2019-06-17-1629.sh
'2.6.18-53.1.21.el5' '2.6.18-92.el5' '2.6.18-92.1.1.el5' '2.6.18-92.1.6.el5' '2.6.18-92.1.10.el5'
'2.6.18-92.1.13.el5' '2.6.18-92.1.17.el5' '2.6.18-92.1.18.el5' '2.6.18-92.1.22.el5' '2.6.18-128.el5'
user@linux:~> grep 3.10.0-693 cve-2019-11477--2019-06-17-1629.sh
'3.10.0-693.el7' '3.10.0-693.1.1.el7' '3.10.0-693.2.1.el7' '3.10.0-693.2.2.el7' '3.10.0-693.5.2.el7'
'3.10.0-693.5.2.p7ih.el7' '3.10.0-693.11.1.el7' '3.10.0-693.11.6.el7' '3.10.0-693.17.1.el7' '3.10.0-693.21.1.el7'
'3.10.0-693.25.2.el7' '3.10.0-693.25.4.el7' '3.10.0-693.25.7.el7' '3.10.0-693.33.1.el7' '3.10.0-693.35.1.el7'
'3.10.0-693.37.4.el7' '3.10.0-693.39.1.el7' '3.10.0-693.43.1.el7' '3.10.0-693.44.1.el7' '3.10.0-693.46.1.el7'
'3.10.0-693.47.2.el7' '3.10.0-861.el7' '3.10.0-862.el7' '3.10.0-862.2.3.el7' '3.10.0-862.3.2.el7'
'3.10.0-693.rt56.617.el7' '3.10.0-693.2.1.rt56.620.el7' '3.10.0-693.2.2.rt56.623.el7' '3.10.0-693.5.2.rt56.626.el7' '3.10.0-693.11.1.rt56.632.el7'
'3.10.0-693.11.1.rt56.639.el7' '3.10.0-693.17.1.rt56.636.el7' '3.10.0-693.21.1.rt56.639.el7' '3.10.0-861.rt56.803.el7' '3.10.0-862.rt56.804.el7'
'3.10.0-514.rt56.221.el6rt' '3.10.0-514.rt56.228.el6rt' '3.10.0-514.rt56.231.el6rt' '3.10.0-693.2.1.rt56.585.el6rt' '3.10.0-693.2.2.rt56.588.el6rt'
'3.10.0-693.5.2.rt56.592.el6rt' '3.10.0-693.11.1.rt56.597.el6rt' '3.10.0-693.11.1.rt56.606.el6rt' '3.10.0-693.17.1.rt56.604.el6rt' '3.10.0-693.21.1.rt56.607.el6rt'
'3.10.0-693.25.2.rt56.612.el6rt' '3.10.0-693.25.4.rt56.613.el6rt' '3.10.0-693.25.7.rt56.615.el6rt' '3.10.0-693.33.1.rt56.621.el6rt' '3.10.0-693.35.1.rt56.625.el6rt'
'3.10.0-693.37.4.rt56.629.el6rt' '3.10.0-693.39.1.rt56.629.el6rt' '3.10.0-693.43.1.rt56.630.el6rt' '3.10.0-693.44.1.rt56.633.el6rt' '3.10.0-693.46.1.rt56.639.el6rt'
'3.10.0-693.47.2.rt56.641.el6rt'

 

As nobody knows from what sources and patches Check Point builds its packages, only Check Point can tell about the impact of Sad SACK.

G_W_Albrecht
Legend
Legend
‎2019-06-19 12:11 AM
In response to Axel_Engeland

Jump to solution

Of course, the script states loud and clear that it can only talk about RHEL kernels - GAiA kernel is CP.

CCSE CCTE SMB Specialist
0 Kudos
Michael_Gonnaso
Participant
‎2019-06-18 09:48 AM
In response to G_W_Albrecht

Jump to solution

Could it be that the script doesn't know about the custom Checkpoint kernels?  

In the script it shows a lot of entries in the 2.6.18-92 range.  

0 Kudos
Christian_Riede
Collaborator
‎2019-06-18 05:50 AM

Jump to solution
Besides the Checkpoint firewalls themselves: How can vulnerable systems behind a Checkpoint be protected? Currently I cannot find an IPS protection for that vulnerability.
0 Kudos
G_W_Albrecht
Legend
Legend
‎2019-06-18 06:05 AM
In response to Christian_Riede

Jump to solution

To protect devices behind the firewall that run an unsafe RedHat kernel version, see here: https://access.redhat.com/security/vulnerabilities/tcpsack

CCSE CCTE SMB Specialist
0 Kudos
Christian_Riede
Collaborator
‎2019-06-18 06:08 AM
In response to G_W_Albrecht

Jump to solution
Well.. yes. I could chase up zillions of admins to fix their systems. But then I do not need a Checkpoint firewall. 😉
0 Kudos
Vladimir
Champion
Champion
‎2019-06-18 01:40 PM
In response to Christian_Riede

Jump to solution

Given that these were disclosed on 2019-06-17, it is a bit premature to expect the IPS protection to be available 24 hours later.

Wishful thinking perhaps, but unlikely to happen.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-06-18 01:41 PM
In response to Vladimir

Jump to solution
We're working on it, will keep everyone posted.
0 Kudos
PhoneBoy
Admin
Admin
‎2019-06-18 09:55 AM

Jump to solution
Our SK on the matter: https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&so...
TL;DR: Yes, we're vulnerable, but you can disable TCP SACK as a workaround until a patch is developed.

As for an IPS signature, there is an existing one related to TCP SACK for Windows, which I'm not sure applies here.
I'll double-check and update.
Ceeeeb
Explorer
‎2019-06-18 08:35 PM
In response to PhoneBoy

Jump to solution
Is it possible to drop packet with low MSS?
0 Kudos
Sigbjorn
Advisor
‎2019-06-18 11:41 PM
In response to PhoneBoy

Jump to solution
Hi,

For VSX, will this deactivate TCP SACK for the entire system, or can we disable it only for the virtual systems that are exposed?
PhoneBoy
Admin
Admin
‎2019-06-19 09:35 AM
In response to Sigbjorn

Jump to solution
It's a Linux kernel issue, which means it can't be enabled/disabled on a per-VS basis.
As I noted, we are planning a hotfix on this, stay tuned.
0 Kudos
Axel_Engeland
Participant
‎2019-06-19 12:23 PM
In response to Sigbjorn

Jump to solution

As there's only one kernel running on VSX, it would be a global setting. You cannot even set it per interface. This is a Linux limitation, not a Check Point one.

However, performance impact should be very low when exposed connections that don't have a high packet loss rate, as Selective ACK only plays a role in scenarios where you lose TCP packets.

0 Kudos
_Val_
Admin
Admin
‎2019-06-19 11:53 PM
In response to Sigbjorn

Jump to solution

to add to @PhoneBoy's answer, VSs are running firewalls in User Mode. Kernel is for the whole environment, hence the parameters mentioned on our response SK will affect all VSX system at once.

0 Kudos
Christoph
Contributor
‎2019-06-19 01:20 AM
In response to PhoneBoy

Jump to solution

sk156192 states for CVE-2019-11477, that only management servers are effected. Gateways are not listed, contrary to the other two CVEs.

Can you confirm that no gateways are effected by CVE-2019-11477?

0 Kudos
PhoneBoy
Admin
Admin
‎2019-06-19 09:38 AM
In response to Christoph

Jump to solution
Gateways running the 3.10 kernel are impacted by this and are specifically listed in the SK.
Gateways running the 2.6 kernel are not impacted by this.
Sven_Glock
Advisor
‎2019-06-19 05:47 AM
In response to PhoneBoy

Jump to solution
Any news about the signature? 🙂
PhoneBoy
Admin
Admin
‎2019-06-21 11:20 AM
In response to Sven_Glock

Jump to solution
It's in progress.
0 Kudos
Humza
Employee
Employee
‎2019-07-01 08:28 AM
In response to Sven_Glock

Jump to solution

Please see updated SK detailing which versions have been patched and are still in progress: sk156192

R80.10 & R80.20 are patched with the latest jumbo hotfix while others are still in progress.

Sean_Van_Loon
Contributor
‎2019-07-02 11:56 PM
In response to Humza

Jump to solution

Great to hear/see that there are patches already available:

- R77.30 JHF 351 (included in JHF)

- R80.10 TCP SACK PANIC Hotfix , which should be installed on top of JHF 203 (General availability)

- R80.20 JHF 87 (Ongoing take)

- R80.30 JHF 19 (Ongoing take)

Source: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

But I do have some questions:

  1. Does the patch have impact on performance?
  2. R80.10 'custom hotfix'
    1. I suspect it is incompatible with other hotfixes? And should be uninstalled as a new JHF is released?
    2. Reboot required on installation?
  3. R80.10/R80.20/R80.30 when will it be included in the GA JHF?

 

Thanks!

 

 

PhoneBoy
Admin
Admin
‎2019-07-03 11:19 AM
In response to Sean_Van_Loon

Jump to solution
  1. The issue only impacts connections to/from the gateway (not through). The "workaround" had a minimal performance impact on connections directly to/from gateway, the patch fixes that.
  2. The R80.10 "custom fix" is only necessary because it is not yet integrated into any JHF. I assume it's planned to be integrated into the next JHF for R80.10. As for incompatibility with other fixes, it depends on the nature of the fixes you are combining with.
  3. The release schedule for GA JHFs is based on quality, not on a specific date. As such, I can't give a precise date as to when GA JHFs will be available. TAC may have an estimate, but it's only that: an estimate.
Martin_Oles
Contributor
‎2019-07-02 01:18 AM

Jump to solution

Already mentioned: how to protect servers behind firewall? I could patch or apply workaround on gateways, but on servers, where are applications running, such is much more demanding task. I was looking for possibility of blocking possible attack on firewall, only hoping, that IPS signature was already updated (did not find any information confirming it). How about situation, where IPS is not in use? In theory dropping packets with low MSS might help, sort of "iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP". How to achieve such in safe way on firewall?

0 Kudos
PhoneBoy
Admin
Admin
‎2019-07-03 11:43 AM
In response to Martin_Oles

Jump to solution
There's an older IPS signature related to TCP SACK on Windows (CVE-2010-0242).
I don't know if it would stop this particular attack on Linux.
It should be noted that the performance impact of this signature is Critical and is disabled in all profiles by default.

As for a specific IPS signature for this issue, I believe it is still under development.
Christian_Riede
Collaborator
‎2019-07-05 12:47 AM
In response to PhoneBoy

Jump to solution
Come on Checkpoint, iptables can do it now and easily. Why can't you with IPS?
0 Kudos
_Val_
Admin
Admin
‎2019-07-05 05:07 AM
In response to Christian_Riede

Jump to solution
Blocking small MSS in iptables is not a solution, it is a workaround. Exploit signature is a completely different game
0 Kudos
Jelle_H
Contributor
‎2019-07-15 08:31 AM
In response to _Val_

Jump to solution
Looking at the fact that this is a flaw in Linux specifically in the TCP/IP Transport Layer. I am curious how you could fix this at all without rewriting code? Were now providing several customers with a hotfix for the vulnerability but i cannot find any information about what were installing? Are we installing a workaround or are we installing a fix?
0 Kudos
PhoneBoy
Admin
Admin
‎2019-07-15 09:23 PM
In response to Jelle_H

Jump to solution
You're installing a kernel fix for the relevant CVEs.
The "workaround" was disabling SACK.
This is documented in the SK: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
DM
Explorer
‎2019-07-17 01:56 AM
In response to PhoneBoy

Jump to solution

I saw that these CVEs are fixed in Hotfix 351.

Can anyone tell when this Hotfix will be generally available?

0 Kudos
Labels