Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
G_W_Albrecht
Champion
Champion

Latest firmware builds for 77.20.xx SMB appliances

In sk165875: Check Point Response to CVE-2020-8597 (PPP buffer overflow vulnerability) we found the latest 77.20.xx firmware builds for SMB appliances - but now in response to DNSpooQ (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685), CP TAC provided fixed versions also for older models (2021-02):

0 Kudos
45 Replies
Steffen_Appel
Collaborator

 R77.20.87 ist now B990173049

0 Kudos
G_W_Albrecht
Champion
Champion

Not really: 

0 Kudos
Steffen_Appel
Collaborator

Yes really, 3049 is  mentioned here https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

"This problem was fixed. The fix is included in:

If you do not wish to upgrade, please Contact Check Point Support to get a Hotfix for this issue. "

 

So the JHF article just lacks an upgrade as the SK clearly points to the JHF article.

 

BTW the OP did not mention anything about GA anyhow.

0 Kudos
G_W_Albrecht
Champion
Champion

No, it certainly is GA. But the link to the wrong source is nice, i would add some feedback there 😎 I assume that people writting sk168797 thought that B990173049 would be GA soon, but as we see the phrase "If you do not wish to upgrade" it rather seems that something was mistaken, as a GAiA Embedded Hotfix always is a new firmware version including it.

So you can turn it anyway you want, R77.20.87 B990173049 is private and only available thru TAC - sk168797 is wrong as the R77.20.87 B990173049 is no GA version (yet)....

0 Kudos
Steffen_Appel
Collaborator

Even if it is still not GA, you never mentioned GA in the OP.

0 Kudos
Naftali_Oziel
Collaborator

It seems that now there is r77.20.87 B3055 if you ask TAC.  Very confusing and determining what are some of the fixes made above B3042?   Debating do I upgrade?

Steffen_Appel
Collaborator

sk167693 (from build 3044) and sk168797 (from build 3049) are two fixes included.

0 Kudos
Naftali_Oziel
Collaborator

yet if you call into TAC to get the fix for sk167693.   They seem to give a different build number each time, now it's up to B3057 which they release so am sure it contains more than just those two fixes.  

Steffen_Appel
Collaborator

HFA is updated to 3068.

G_W_Albrecht
Champion
Champion

Thank you - i updated my post !

0 Kudos
Nik_Bloemers
Collaborator

I saw that too, but the resolved issues list is unchanged? Still lists B3042 as the latest (aside from the private builds).

0 Kudos
Tom_Hinoue
Collaborator

It looks like there is an issue with the latest build. See the updated sk.
Maybe there will be a new build coming soon.

Jumbo Hotfix Accumulator for R77.20.87
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

IMPORTANT: We have detected a problem with the latest build (Build 990173068). As a result, we have temporarily removed the download links below. We are investigating the issue and will update the article as soon as it is resolved.

0 Kudos
Steffen_Appel
Collaborator

HFA is updated to build 3072

G_W_Albrecht
Champion
Champion

... but no information about fixes in Build 990173072 is available yet ! I have corrected the build in my post, link is the same as before, and i have left Feedback in the sk153433. I have installed this firmware yesterday...

0 Kudos
Steffen_Appel
Collaborator

Probably the ones in the upcomimg section.

0 Kudos
G_W_Albrecht
Champion
Champion

No - response was: The new build consists of some general stability fixes. provided by TAC.

0 Kudos
G_W_Albrecht
Champion
Champion

sk153433 now contains:

R77.20.87 Jumbo Hotfix build 990173072 
- General stability improvements and fixes.  
0 Kudos

Well, not entirely. 😀 For example we have a new process now:

/pfrm2.0/bin/jitterentropy_rngd

Using the Jitter RNG core, the rngd provides an entropy source that feeds into the Linux /dev/random device if its entropy runs low. It updates the /dev/random entropy estimator such that the newly provided entropy unblocks /dev/random.

The seeding of /dev/random also ensures that /dev/urandom benefits from entropy. Especially during boot time, when the entropy of Linux is low, the Jitter RNGd provides a source of sufficient entropy.

Tom_Hinoue
Collaborator

fwtmp directory default value is now 60MB (changed from 40MB since B3051) 🙂

G_W_Albrecht
Champion
Champion

Yes, that is quite a change:

# df -h
Filesystem Size Used Available Use% Mounted on
tmpfs 30.0M 224.0K 29.8M 1% /tmp
tmpfs 60.0M 11.2M 48.8M 19% /fwtmp
ubi2_0 65.6M 992.0K 61.3M 2% /logs
ubi3_0 259.8M 134.4M 120.7M 53% /storage
ubi1_0 159.4M 127.6M 31.9M 80% /pfrm2.0
tmpfs 14.0M 36.0K 14.0M 0% /tmp/log/local
tmpfs 100.0M 0 100.0M 0% /tetmp

 See the new size of /fwtmp. Also /tmp size was changed manually:

tmp.png

Maximum possible size is 4 times 20 = 80MB. These 80MB seem to be reserved for /tmp as even when set to 80MB, other partitions do not shrink:

Filesystem Size Used Available Use% Mounted on
tmpfs 80.0M 224.0K 79.8M 0% /tmp
tmpfs 60.0M 11.2M 48.8M 19% /fwtmp
ubi2_0 65.6M 988.0K 61.3M 2% /logs
ubi3_0 259.8M 134.4M 120.7M 53% /storage
ubi1_0 159.4M 127.6M 31.9M 80% /pfrm2.0
tmpfs 14.0M 36.0K 14.0M 0% /tmp/log/local
tmpfs 100.0M 0 100.0M 0% /tetmp 
Naftali_Oziel
Collaborator

I have the 1400, noticed the /fwtmp set to the new size of 60.0M but my /tmp is still sitting on 20.0M yet as I understand this was increased to 30.0M?

0 Kudos
G_W_Albrecht
Champion
Champion

/tmp is still 20MB as long as you do not change the value in Advanced Settings !

0 Kudos
Naftali_Oziel
Collaborator

Ok thanks, I thought there may have been some sort of a bug during upgrade that it did not take into affect on the configurations.   Appreciate the response.  

0 Kudos

Any feedback on how's latest JHF (3072) working in production environment ? 

0 Kudos
Naftali_Oziel
Collaborator

so far so good and far better build than B3042.  Clearly a lot of code optimization GUI is far more responsive, however, still doing some testing to see if it resolved the GUI core.  When I would not login into the firewall and its been running for 20 plus days.  logging into the GUI and navigating would cause a no response, core.   I also have B3077 that may install to fix the other issues especially with SSL and HTTPS.

Steffen_Appel
Collaborator

3077 is for which sk?

0 Kudos
Naftali_Oziel
Collaborator

SMB-14108 Policy installation for the 1400 Security Gateway with IPS blade enabled fails with the following error message: "Installation failed. Reason: Failed to load Policy on Security Gateway". Refer to sk170930.

SMB-14072 When HTTPS Inspection is enabled and the application is blocked, the user may not receive a user-check block page for some websites.

SMB-13454 If you create a new Application Group that contains one application that does not require SSL inspection and another application that does, the custom application group icon shows a lock icon even after you delete application signatures that require SSL inspection.

0 Kudos
Steffen_Appel
Collaborator

Thanks

0 Kudos
Naftali_Oziel
Collaborator

NP, let me know if you have upgraded and any issues identified.

0 Kudos