Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

Various Vulnerabilities on secure platform firewall

Jump to solution

Hello guys , this is my first post here so i am hope i will have some help

i received some tasks to fix some vulnerabilities on one of our cluster  fw, which is very old secure Platform R75.40... i know its old , end of support etc and there are plans to upgrade/renew it in near future.

 

i was trying to find something in the google etc, but most articles are related to newer version like 77.30 and 80.x

i will list some of those issues so maybe someone give me a tips how to fix it in this old platform.

1: Disable SSLv3. Services that must support SSLv3 should enable the TLS Fallback SCSV mechanism until SSLv3 can be disabled. and it is related to SSLv3 Padding vuln.

i found some post https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

but again it is related to newer version so i wonder if there is something similar for my version and platform.

 

2.SSL Medium Strength Cipher Suites Supported CVE-2016-2183 

I would like to know how to safely fix that on this platform? and what cipher to use in this case?

 

3. Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption. realated to: CVE-2008-5161

What ciphers i would need to add and where ssh_conf or sshd_conf  (in sshd_conf there is no ciphers at all)

also there is need to restart ssh after that , is it risk i will lose connection to the box in case of some mistake?

 

sorry for question which can looks trivial  but i am new to checkpoint and  especially to such old platform so i will be thankful for any help

and if i posted it in wrong location please move it or let me know to avoid it in the future.

 

 

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Admin
Admin
The time that you spend "fixing" these vulnerabilities would be better spent upgrading to a supported release, given that R75.40 has been End of Support for 4 years now.

In particular, R75.4x only supports TLS 1.0 and has a fairly old version of OpenSSH installed.
It might require a hotfix to disable SSLv3, e.g. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
If this hotfix doesn't work as-is, you may be out-of-luck as R75.4x is end of support.

I imagine you can follow whatever steps they suggest for OpenSSH, keeping in mind we use an older version.
This requires a restart of the SSH daemon.

But like I said, you're better off fixing this problem by upgrading to a supported release.

View solution in original post

2 Replies
Highlighted
Admin
Admin
The time that you spend "fixing" these vulnerabilities would be better spent upgrading to a supported release, given that R75.40 has been End of Support for 4 years now.

In particular, R75.4x only supports TLS 1.0 and has a fairly old version of OpenSSH installed.
It might require a hotfix to disable SSLv3, e.g. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
If this hotfix doesn't work as-is, you may be out-of-luck as R75.4x is end of support.

I imagine you can follow whatever steps they suggest for OpenSSH, keeping in mind we use an older version.
This requires a restart of the SSH daemon.

But like I said, you're better off fixing this problem by upgrading to a supported release.

View solution in original post

Highlighted
Ivory
thank you very much for clarification
0 Kudos