This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-03-18 04:49 AM
Jump to solution

SMB OpenSSL Fixes for CVE-2022-0778 are ready for 1500 1600 1800

Upgrade OpenSSL to fix CVE-2022-0778 Refer to sk178411 - Check Point response to OpenSSL CVE-2022-0778.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-03-21 11:51 AM
In response to G_W_Albrecht
Jump to solution

YES - according to R&D the solution is:

The "# cpopenssl version" command applies to R80.40 and above. In R80.30 versions (and below), we do not upgrade the openSSL version but manually port the fix for the CVE. Although there is no easy way to make sure that openSSL was upgraded on these versions, it will be after you install the Hotfix. 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

0 Kudos
12 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-03-19 10:37 AM
Jump to solution

I would suggest to not install this fix - i found a serious bug in APPI updates making APCL work no more...

--> as stated this is not an issue of this firmware, only mine 8)

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-03-20 03:38 AM
In response to G_W_Albrecht
Jump to solution

pt bladeUpdateStatus
3 (2002) =
modified = nil
lastSuccessfulCheckTime = 1647770804
installedUpdateVersion = 0
availableUpdateVersion = 22030801
isOfflineUpdate = false
lastInstallStartedAt = 1647770803
installStatus = BLADE_INSTALL_STATUS.CONNECTING
id = 2002
lastInstallResult = BLADE_INSTALL_RESULT.INSTALL_ERROR
bladeCode = BLADE.APPLICATION_CONTROL
lastSuccessfulInstallTime = nil
upToDateConfirmedAt = nil
CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-03-21 03:12 AM
In response to G_W_Albrecht
Jump to solution

I have reverted back to  R80.20.35_992002613, but Update & APPI is still not working 😞

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-03-21 03:46 AM
In response to G_W_Albrecht
Jump to solution

(view in My Videos)

APCL update status is not displayed, but on clicking the Apply button, APCL tries to update, that is to reach the server, but fails - update is never started !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
_Val_
Admin
Admin
‎2022-03-21 03:49 AM
In response to G_W_Albrecht
Jump to solution

Did you open a TAC case yet?

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-03-21 03:53 AM
In response to _Val_
Jump to solution

I just gave feedback to the SK - my wife is watching TV so i can do no debugs 😉.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
_Val_
Admin
Admin
‎2022-03-21 04:05 AM
In response to G_W_Albrecht
Jump to solution

never heard that excuse before, lol

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-03-22 02:06 AM
In response to _Val_
Jump to solution

I have resolved the issue 8)

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-03-21 01:55 AM
Jump to solution

That seems not to be the only issue here - in GAiA after patching, R81.10 and R80.40 show:

# cpopenssl version
OpenSSL 1.1.1n 15 Mar 2022

This is the fixed OpenSSL version !

But 1550 R80.20.35_992002639:


# cpopenssl version
OpenSSL 1.0.2r 26 Feb 2019

This is the same version as in R80.20.35_992002613. That should be fixed OpenSSL version 1.0.2zd according to CVE-2022-0778.

So does this firmware fix the issue at all ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Amir_Ayalon
Employee
Employee
‎2022-03-21 09:58 AM
In response to G_W_Albrecht
Jump to solution

Hi Guys

we didn't see any bug in APPI. in fact there was no change in this region, so I'll be surprise if there is a bug.

As for why OpenSSL in not 1.1.1n. the issue was fixed within the same OpenSSL version.

 

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-03-21 11:48 AM
In response to Amir_Ayalon
Jump to solution

I think that my APPI issue has nothing to do with the firmware version - OpenSSL 1.0.2r 26 Feb 2019 is a fixed version ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-03-21 11:51 AM
In response to G_W_Albrecht
Jump to solution

YES - according to R&D the solution is:

The "# cpopenssl version" command applies to R80.40 and above. In R80.30 versions (and below), we do not upgrade the openSSL version but manually port the fix for the CVE. Although there is no easy way to make sure that openSSL was upgraded on these versions, it will be after you install the Hotfix. 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events