This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
GigaYang
Contributor
‎2024-03-11 03:11 AM

CVE-2004-2761 with ICA

Hi All,

Our R81 Gateway was found to have the vulnerability CVE-2004-2761 and needs to be replaced with a stronger SSL certificate.

However, looking at the details of the weak scan report, the problematic part seems to be related to the Internal CA (still using SHA-1), which means that the Internal CA may need to re-sign.

In addition to re-signing a certificate, is there any other way to solve the problem of ICA using SHA-1?

Thank you.

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2024-03-13 08:32 AM

For background, see: https://support.checkpoint.com/results/sk/sk103840 
You need to renew the ICA, which should change it to SHA-256: https://support.checkpoint.com/results/sk/sk43783 

0 Kudos
GigaYang
Contributor
‎2024-03-13 06:04 PM
In response to PhoneBoy

Hi Sir,

This vulnerability was discovered when Nessus scanned Gateway's TCP 443 Port, but when checking the GAiA Web Portal certificate through the browser, it was already using SHA-256.

Do you still need to regenerate ICA?

Thanks

Preview file
266 KB
Preview file
557 KB
PhoneBoy
Admin
Admin
‎2024-03-14 08:28 AM
In response to GigaYang

While the Gaia portal might have a certificate with SHA-256 hash, that certificate is signed by a CA that uses a SHA-1 hash.
Therein lies the problem. 
The only way to fix that is to regenerate the ICA.

(1)
GigaYang
Contributor
‎2024-03-14 11:56 AM
In response to PhoneBoy

Does sk147272 can solve this problem?

https://support.checkpoint.com/results/sk/sk147272

the_rock
Legend
Legend
‎2024-03-14 12:08 PM
In response to GigaYang

Not sure it may fix the problem, but worth a try.

Andy

0 Kudos
CaseyB
Collaborator
‎2024-03-14 12:18 PM
In response to GigaYang

SSL cipher suites would be different than certificate hash algorithms. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events