Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
GigaYang
Contributor

CVE-2004-2761 with ICA

Hi All,

Our R81 Gateway was found to have the vulnerability CVE-2004-2761 and needs to be replaced with a stronger SSL certificate.

However, looking at the details of the weak scan report, the problematic part seems to be related to the Internal CA (still using SHA-1), which means that the Internal CA may need to re-sign.

In addition to re-signing a certificate, is there any other way to solve the problem of ICA using SHA-1?

Thank you.

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

For background, see: https://support.checkpoint.com/results/sk/sk103840 
You need to renew the ICA, which should change it to SHA-256: https://support.checkpoint.com/results/sk/sk43783 

0 Kudos
GigaYang
Contributor

Hi Sir,

This vulnerability was discovered when Nessus scanned Gateway's TCP 443 Port, but when checking the GAiA Web Portal certificate through the browser, it was already using SHA-256.

Do you still need to regenerate ICA?

Thanks

PhoneBoy
Admin
Admin

While the Gaia portal might have a certificate with SHA-256 hash, that certificate is signed by a CA that uses a SHA-1 hash.
Therein lies the problem. 
The only way to fix that is to regenerate the ICA.

(1)
GigaYang
Contributor

Does sk147272 can solve this problem?

https://support.checkpoint.com/results/sk/sk147272

the_rock
Legend
Legend

Not sure it may fix the problem, but worth a try.

Andy

0 Kudos
CaseyB
Advisor

SSL cipher suites would be different than certificate hash algorithms. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events