CVE-2004-2761 with ICA

GigaYang · ‎2024-03-11

Hi All,

Our R81 Gateway was found to have the vulnerability CVE-2004-2761 and needs to be replaced with a stronger SSL certificate.

However, looking at the details of the weak scan report, the problematic part seems to be related to the Internal CA (still using SHA-1), which means that the Internal CA may need to re-sign.

In addition to re-signing a certificate, is there any other way to solve the problem of ICA using SHA-1?

Thank you.

PhoneBoy · ‎2024-03-13

For background, see: https://support.checkpoint.com/results/sk/sk103840
You need to renew the ICA, which should change it to SHA-256: https://support.checkpoint.com/results/sk/sk43783

GigaYang · ‎2024-03-13

Hi Sir,

This vulnerability was discovered when Nessus scanned Gateway's TCP 443 Port, but when checking the GAiA Web Portal certificate through the browser, it was already using SHA-256.

Do you still need to regenerate ICA?

Thanks

PhoneBoy · ‎2024-03-14

While the Gaia portal might have a certificate with SHA-256 hash, that certificate is signed by a CA that uses a SHA-1 hash.
Therein lies the problem.
The only way to fix that is to regenerate the ICA.

GigaYang · ‎2024-03-14

Does sk147272 can solve this problem?

https://support.checkpoint.com/results/sk/sk147272

the_rock · ‎2024-03-14

Not sure it may fix the problem, but worth a try.

Andy

CaseyB · ‎2024-03-14

SSL cipher suites would be different than certificate hash algorithms.

Are you a member of CheckMates?

CVE-2004-2761 with ICA