This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Pedro_Espindola
Advisor
‎2019-07-15 04:01 PM

Version R77.20.87 Build 990172938 not documented

Hello everyone,

 

Does anybody know anything about version R77.20.87 Build 990172938 for SMB appliances?

 

It is not documented but it has a download page and is available in the Firmwares page of the SMP.

10 Replies
G_W_Albrecht
Legend Legend
Legend
‎2019-07-16 01:52 AM

I have asked CP in sk151574 R77.20.87 for Small and Medium Business Appliances why this build is not shown, only Build 990172929... But maybe this build resolves sk158092: Unexpected routing rule is shown when VTIs are configured on SMB appliances ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Scottc98
Advisor
‎2019-07-16 03:06 PM
In response to G_W_Albrecht

Any possibility that this addresses the TCP SACK PANIC vulnerabilities?

 

 

Pedro_Espindola
Advisor
‎2019-07-16 03:18 PM
In response to G_W_Albrecht

Could be. Or maybe sk156192 - TCP SACK PANIC

0 Kudos
PhoneBoy
Admin
Admin
‎2019-07-16 07:04 PM
In response to Pedro_Espindola

That's exactly what it's for.
0 Kudos
Aidan_Luby
Collaborator
‎2019-07-18 08:25 AM
In response to PhoneBoy

Maybe this should require a new thread but shouldn't this fix also be available for 600/1100 devices? I understand they're end of support but they should still get security fixes I believe.

 

I looked at the R77.20.80 page which is the last version for 600/1100's and the download links to fw1_dep_R77_990172392_20.img from 2018-07-04. But if you search R77.20.80 in the Downloads site you can find build 990172487 from 2019-06-20 which has no documentation and seems to be for 1100's specifically. Also it's a .tgz file instead of a .img which seems weird. Maybe this file is for the aforementioned vulnerability?

 

If the build I found is the newest and includes a major fix I would think it should be documented, added to the main R77.20.80 page, and should be an img file not a .tgz file.

 

 

Edit: I'd also think if this is the newest version it should be what's suggested when logged into the Gaia Embedded web page. I've recently just upgraded 20-30 devices to the suggest version just to see that two hotfixes have come out since that don't show up in documentation or any official way.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-07-18 02:39 PM
In response to Aidan_Luby

990172487 for the 600/1100 contains the fix for TCP SACK.
Not sure why it's not listed on the main download page.

0 Kudos
Pedro_Espindola
Advisor
‎2019-07-19 06:14 AM
In response to PhoneBoy

Not the first time that happens.

 

The fix for SegmentSmack and FragmentSmack (sk13425) was also kind of hidden and not listed in the main R77.20.80 page when it came out.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2019-08-19 12:46 AM
In response to Aidan_Luby

>> Also it's a .tgz file instead of a .img which seems weird.

? what seems weird here ?

R77.20.87  package for SmartUpdate

For R77.30 SmartUpdate and SmartProvisioning (TGZ)
For R80.x SmartUpdate (TGZ)

 

See sk151574: R77.20.87 for Small and Medium Business Appliances

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Pedro_Espindola
Advisor
‎2019-07-31 07:25 AM
In response to PhoneBoy

Ok, so this build was pulled from available firmwares in SMP and the image download page disappeared (Smartupdate page is still available though).

I opened a SR asking about this, and I was told to wait until a new build is available in SMP and upgrade manually ONLY gateways that are having issues. ???? Considering this is a vulnerability, all gateways have potential "issues".

From those facts, I assume that build 990172938 is not 100% stable. So when will we have a stable fix for these vulnerabilities? This should be out and widely available by now. Any news on upcoming SMB builds?

0 Kudos
Tom_Hinoue
Advisor
Advisor
‎2019-08-18 08:50 AM
In response to Pedro_Espindola

Hi Pedro,

It looks like R77.20.87 Build 990172960 is now officially released GA in the following SK.
I didn't expect this coming as an independent SK though.

I believe many issues regarding SFWD stability is fixed in Build 990172953 and above, and should include the fixes for the vulnerabilities you mentioned. (though I don't see them in the resolved issues list)

R77.20.87 Jumbo Hotfix Accumulator
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events