Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
pnormanmtvh
Participant

Wi-fi vulnerabilities on SMB Appliances

Hi,

I would like to raise a query re: Checkpoint's response to the recently released statement on the aggregation and fragmentation attacks against WiFi. Some other vendors have produced guidance on this e.g when patches/firmware will be coming out to mitigate against these risks but I can't see anything from Checkpoint. Are you able to supply any more guidance on this?

https://www.icasi.org/aggregation-fragmentation-attacks-against-wifi/

Obviously some the SMB appliances have integrated Wireless (e.g the 1590 appliance)

Thanks - pnormanmtvh

0 Kudos
28 Replies
PhoneBoy
Admin
Admin

I’ll ask around.
Meanwhile, I recommend a TAC case for a formal response. 

0 Kudos
G_W_Albrecht
Legend
Legend

Any response yet ?

0 Kudos
hodesa
Employee
Employee

I have also asked internally if we are vulnerable for the Frag attack. Having said that, all attacks can only be launched from the internal network. The vulnerabilities are using 802.11 design flaws on frame aggregation and fragmentation. Once we know more about risk, severity, exploitation factor etc. I will update you all. 

0 Kudos
Amir_Ayalon
Employee
Employee

Hi

There are several CVE there which are based on the 802.11 standard design, (and flaws) which are related to the way the standard handles frame aggregation and fragmentation.

We are working with the WiFi Vendor, and once fixes will be available, we will deploy them.

First analysis suggest you may be vulnerable only in close proximity as the described attacks can only carried out from the internal wireless network and therefore require physical proximity.   

Steffen_Appel
Advisor

Any updates? Many other companies already provude fixes.

0 Kudos
PhoneBoy
Admin
Admin

I assume you have a TAC case open on this, correct?

0 Kudos
Steffen_Appel
Advisor

No, I was referring to Amir, who said, that CP is working with the vendors on it.

0 Kudos
Amir_Ayalon
Employee
Employee

Hi Guys

TAC was updated, so i wonder why the message didn't convey..

Anyway -

we have a fix ready, and it will be available on the next SMB release. (R80.20.30 - around the first week of July)

If your need a solution sooner, we can deliver a jumbo fix on top of R80.20.25. please contact TAC

Thanks

 

Naftali_Oziel
Collaborator

Hi Amir aware for R80.20. for CP 1500 series +  

My inquiry is specific to R77.20.87 for those that are still running on CP1400 series??  did open with TAC and it's unknown?

0 Kudos
Steffen_Appel
Advisor

Hi Amir,

thank you for the update!

 

What about the 1400s (77.20.87) and the 1100s (77.20.80), which are both still covered by support?

 

Is there any SK for these issues?

 

Naftali_Oziel
Collaborator

Amir, does this apply for SMB 1400 series appliances that also have the integrated WiFi.  I see talks about 1500 series hope no one is forgetting the others. 

 

Pls advise.

0 Kudos
pnormanmtvh
Participant

The TAC case for this is: 6-0002681820

the_rock
Mentor
Mentor

Did they say anything? I also looked at below link, but cant find much for this

 

2021 | Check Point Software

0 Kudos
Naftali_Oziel
Collaborator

no info as of yet from CP.

0 Kudos
the_rock
Mentor
Mentor

I would definitely bring that up to someone in TAC, because any vendor should and must have response to things like this.

Naftali_Oziel
Collaborator

already did...but it's no show response or unknown response for now.

hodesa
Employee
Employee

Hi all, I am happy to share with you sk173718. As you can see the severity is low and has been fixed.

Enjoy! 

XBensemhoun
Employee
Employee

@Naftali_Oziel , @pnormanmtvh you have your answer

Information Security enthusiast, CISSP, CCSP
0 Kudos
pnormanmtvh
Participant

Thanks all for the discussion and responses,

So as I understand it to mitigate these wi-fi vulnerabilities we can upgrade our 1590's to either:

It is likely that we will upgrade directly up to R80.20.30 due to Build 992002136 not appearing as a valid build on the sk171824 page.

Thanks

0 Kudos
pnormanmtvh
Participant

Incidentally, will Checkpoint be responding publicly to the ICASI statement with the fixes located at: https://www.icasi.org/aggregation-fragmentation-attacks-against-wifi/ ?

0 Kudos
PhoneBoy
Admin
Admin

Yes, either is fine.

0 Kudos
Naftali_Oziel
Collaborator

Thanks for the 700/900/1400 firmware why is it older than the current GA?  Does that make sense?

0 Kudos
Amir_Ayalon
Employee
Employee

it's not older

its a jumbo_hf based on  latest jumbo release.

sequence number is different because it's a different branch (until a new public jumbo GA will be available)

 

Naftali_Oziel
Collaborator

Ok so it contains all fixes from B3083 GA?

0 Kudos
Amir_Ayalon
Employee
Employee

yes

0 Kudos
Steffen_Appel
Advisor

Thank you, no fix for the 1100s?

0 Kudos
Steffen_Appel
Advisor

Will there be a fix for the 1100s?

0 Kudos
Amir_Ayalon
Employee
Employee

Hi Steffen

to fix it a patch is needed from the WiFi Vendor. for the 1100, the driver is very old, and doesn't get frequently updated, so currently, there is no fix. if things will change, I'll update.