This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NorthernNetGuy
Advisor
‎2024-10-15 11:01 AM

SNX failing Driver validation

I've found on my windows 10 22H2 clients that SNX is failing the windows driver validation checks (Secure boot + Driver Signature Enforcement).

checking the setupapi.dev.log file shows the following errors:

Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

Driver package failed signature verification. Error = 0xE0000247

Failed to import driver package into Driver Store. Error = 0xE0000247

 

When i Check out the SNX security catalog file, it shows that it is not valid, being signed by an old microsoft CA that expired in 2021.

I've attached screenshot of the certs and catalog.

TAC + R&D has indicated that the driver being signed by an expired CA is fine, and that this is likely an issue with a custom CRL on my clients, but I've never applied a custom CRL.

 

I'm wondering if anyone else has seen this isue on win10 22H2 and later versions of windows. The proposed workaround of disabling secure boot + validation checks will be rejected by the business.

 

2024-10-15_13h55_37.png
Preview file
33 KB
2024-10-15_13h55_21.png
Preview file
11 KB
2024-10-15_13h56_03.png
Preview file
26 KB
0 Kudos
11 Replies
PhoneBoy
Admin
Admin
‎2024-10-15 12:23 PM

What version of snx is installed?
What gateway version/JHF is relevant here?

0 Kudos
NorthernNetGuy
Advisor
‎2024-10-15 12:34 PM
In response to PhoneBoy

R81.20, JHF 84

 

SNX version 7.01.0000

Mobile Access Portal Agent 800.007.049

0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-15 01:42 PM
In response to NorthernNetGuy

The SNX version should be a build like 800008302, which you can get with snx -h on the CLI.
The latest appears to be 80008409, which should be applied with the latest R81.20 JHF.

Assuming you're on the most recent release, you're saying it is signed with an old certificate?
Can you send me the relevant SR in a PM?

0 Kudos
NorthernNetGuy
Advisor
‎2024-10-16 05:22 AM
In response to PhoneBoy

the SNX I put above was the 'SLL Network Extender Service' version that gets installed alongside the Mobile Access Portal Agent (actual snx).

SNX build using 'snx -h' is showing 997000069.


https://sc1.checkpoint.com/documents/SSL_Network_Extender_AdminGuide/Content/Topics-SNX-Admin-Guide/... 

this article confirms the latest version for my release is 80008409, and when I do "cat $CVPNDIR/htdocs/SNX/CSHELL/snx_ver.txt" it shows 800008409.

You can also see the old cert signature in the pictures I attached in my original post.

if the windows agent version # is supposed to match, then maybe when my clients are dowloading SNX they are getting an older version.

DM'ing you the SR as well

*edit*
according to https://support.checkpoint.com/results/sk/sk168353 the windows agent version is the latest.

 

0 Kudos
MaksimBahunou
Employee
Employee
‎2024-10-17 01:46 AM
In response to NorthernNetGuy

Hi @NorthernNetGuy 

Could you please check SNX version that is installed on Windows?

It can be found in "c:\Program Files (x86)\CheckPoint\SSL Network Extender\ver.ini" file.

0 Kudos
NorthernNetGuy
Advisor
‎2024-10-17 05:31 AM
In response to MaksimBahunou

800008409

 

Can anyone confirm what certificate and root CA are signing the SSL extender for them? the security catalog and signer can be found at: C:\Program Files (x86)\CheckPoint\SSL Network Extender\netvna.cat 

 

Click 'View Signature", then click 'View Certificate"

0 Kudos
MaksimBahunou
Employee
Employee
‎2024-10-17 06:01 AM
In response to NorthernNetGuy

Here are from my PC:

2024-10-17 15_58_00-.png2024-10-17 15_58_32-.png

0 Kudos
NorthernNetGuy
Advisor
‎2024-10-17 06:10 AM
In response to MaksimBahunou

Do you have Secure Boot with  driver signature enforcement enabled? Windows should reject SNX if you do based on that.

You can check if Secure boot is enabled in MSINFO under "Secure Boot State"
if off, then driver signature enforcement will also be off.

If Secure Boot State is On, then in an elevated command prompt, run 'bcdedit' and look for "nointegritychecks", if it shows "yes", then driver signature enforcement is off

0 Kudos
MaksimBahunou
Employee
Employee
‎2024-10-17 06:54 AM
In response to NorthernNetGuy

Secure Boot is definitely "on".

As for the "nointegritychecks". By default, I don't see its value. When I tried to alter it, I got "The value is protected by Secure Boot policy and cannot be modified or deleted." So, I disabled Secure Boot, explicitly set "nointegritychecks" to "off" and enabled Secure Boot back.

No issues with certificate.

Capture.PNG

0 Kudos
NorthernNetGuy
Advisor
‎2024-10-17 06:57 AM
In response to MaksimBahunou

The value won't show if off for nointetegritychecks, it is off by default for security. can you also confirm if you are on windows 10 22h2?

It should be normal for windows to reject a driver signature that comes from an expired CA I think, I don't know why my different windows test clients would be a rare exception in rejecting this instead of allowing it.

0 Kudos
MaksimBahunou
Employee
Employee
‎2024-10-17 10:56 PM
In response to NorthernNetGuy

I check on Win10 22H2 19045.4849

I noticed one interesting thing. The root certificate (Microsoft Root Certificate Authority) has validity period from 10 May 2001 till 10 May 2021.

While on your screenshot it is 9 May 2001 - 9 May 2021. 

In my case certificate serial number is 79ad16a14aa0a5ad4c7358f407132e65. Please check with your one.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top