This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
John_Fleming
Advisor
‎2020-07-22 07:43 AM

1200R images downloads are completely messed up

So here is my experience with trying to find which 1200R image I should be running.

 

==== 

sk105738 - Check Point 1200R Appliance

which has a link called "Check Point 600 / 1100 / 1200R / 700 / 1400 / 910 SMB Appliances Releases"

which points to 

https://supportcenter.checkpoint.com/supportcenter/portal/user/anon/page/default.psml/media-type/htm...

which was released in 2015. I think this might be a wrong link after looking at the description but still..

===

Next i'm looking at the product page

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doShowproductpage&product=450

And I see 2 pages of download links. How as a user can I tell what is the latest one? I know from being a checkpoint user for a while to look at the largest build number but how do you expect someone to just know that? 

Check Point 1200R Appliance package R77.20.81 build 990172541

or

R77.20 HFA 81 (R77.20.81) Build 990172583 for 1200R Appliances

or 

R77.20.81 Build 990172605 for 1200R Appliances

If I hit the 1500 page then i see this link..

=== 

(4) Downloads

Refer to sk97766: Check Point 600 / 700 / 910 / 1100 / 1200R / 1400 / 1500 SMB Appliances.

Which says this was the latest 1200R image.

R77.20.81 R77.30 with R77.30 Add-On and higher 1200R / 700 / 1400 / 910


So lets click the latest build of R77.20.87 from the page to see what is listed, even though it doesn't show 1200R to see what I find.

Jumbo Hotfix Accumulator for R77.20.87

SMB-11853 A vulnerability in the code enables an attacker to cause a buffer overflow which can lead to a Denial of Service condition.


great.. so now i've uncovered there is something nasty I need to verify is patched on the 1200R even though I have no idea what to download so far.

===

So now i'm going to search for SMB-11853

Check Point Response to CVE-2020-8597 (PPP buffer overflow vulnerability)

and i see...

R77.20.81 Build 990172605 for 1200R Appliances
===

If I go back to sk97766 - and click the 1200R download I get...

https://supportcenter.checkpoint.com/supportcenter/portal/role/supportcenterUser/page/default.psml/m...

which is 

R77.20.81 Build 990172541 for 1200R appliances

So great.. this is doesn't have the PPP patch i'm assuming? How would a user know this?

==

This is completely unacceptable. It should not be this hard to figure out what I need to be running. This does not help the massive stigma that comes with Gaia Embedded.

0 Kudos
4 Replies
Amir_Ayalon
Employee
Employee
‎2020-07-22 11:27 AM

Hi John

First, sorry for the inconvenience, now let me see if i can address the issue

There is this very useful SK, which always direct you to the latest SW release which is GA.

Check Point 600 / 700 / 910 / 1100 / 1200R / 1400 / 1500 SMB Appliances Releases

all the models are there, so for future reference, please keep it in mind.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

In this SK, it is stated that for 1200R, the latest GA release is   R77.20.81 HFA 81 (R77.20.81) Build 990172541

(available here - https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

some of the confusion is due to another more recent firmware which is mentioned here:

Check Point Response to CVE-2020-8597 (PPP buffer overflow vulnerability)

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

this refer to a firmware which was release specifically to address the CVE-2020-8597, so the release procedure is a bit different, and the recommendation is also a bit different

the image is available (R77.20.81 Build 990172605) but not in public GA like Build 990172541

so, that's in regard for latest firmware available.

as for your other remarks, we will go over and see if there are old SK which needs to be updates (points to the latest)

The product page however, is a different story. it  automatically includes all firmware releases, so you are right that it's not the place to understand which is the latest to use.

To summarize,

To avoid any future confusion, please use SK97766 for future reference.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

From our side, we will have a look at old Releases SK, and see if we need to updates pointers there to direct the user to newer releases.

Appreciate the feedback

 

Thanks

 

 

 

 

 

0 Kudos
John_Fleming
Advisor
‎2020-07-22 01:00 PM
In response to Amir_Ayalon

For sure updating the SKs is a must. I wouldn't expect a user to come to this forum to find out what the proper SK is or to find a post from a none checkpoint employee to find the latest image for 1200R. Thanks for going back to review the SKs as its badly needed.

It simply should not be hard to find a image that doesn't have known vulnerabilities. Anything less is a major disservice to the customer.

One thing I want to point out is the GA release for the 1400 contains security fixes that the GA for the 1200R does not (granted PPP issue is, i think pretty minor but only because i'm not a consumer of PPP services).

This is a little out of scope for the 1200R rant, but why is it not getting updated on the Gaia Embedded train beyond .81? The replacement product hasn't shown up on the appliance support page yet and as of a few hours ago doesn't have a EoL statement even though the firmware does, which is a little strange. I've seen the replacement product so i know it exists but I have customer that bought 1200Rs less then 2 years ago.

Amir_Ayalon
Employee
Employee
‎2020-07-22 02:28 PM
In response to John_Fleming

Hi John

I do think sk97766 which list all Latest Appliances Releases is a good source to avoid confusion, but in any case, we will amend old SK's to always point to the latest.

(it should be simple as you stated)

As for support for 1200R beyond R77.20.81 - so first, you are right, 1200R is still under support, and we will continue to support it (and release firmware for it)

But, the firmware we release for the 1200R includes mainly bug fixes, security fixes and stability fixes, and usually, not new features.

(that's why it will probably be kept as .81, and only the build number would advance)

The reason 1200R will be kept updates for security issues/bugs  but not new features, is because as you know , the Hardware on the 1200R is not new.. (it was launched 5 years ago). new features usually require more HW resources, more memory, more CPU power. we saw in the past,  deployment of 1200R who wanted the latest security, but no more feature that might impact performance or destabilize the HW. 

So, unless there is a specific requirement from a customer for a new feature on the 1200R, we prefer to keep a stable firmware and only enhance it with mandatory fixes.

If you have further feedback, feel free. (here or by email amiray@checkpoint.com)

Thanks

John_Fleming
Advisor
‎2020-07-22 02:34 PM
In response to Amir_Ayalon

Thanks for the review and taking the time to look over all this. Sounds like things are in good hands.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events