This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
anstelios
Collaborator
‎2020-07-08 11:59 PM
Jump to solution

INFO - https sites not working, zdebug errors PSL Drop: MUX_PASSIVE and PSL Drop: TLS_PARSER

zdebug drop shows errors PSL Drop: MUX_PASSIVE and PSL Drop: TLS_PARSER and https sites were not working on several environments due to IPS protection "openssl padding oracle information disclosure" that was updated on 7/8/2020.

Disabling this protection resolves the issue.

1 Solution

Accepted Solutions
_Val_
Admin
Admin
‎2020-07-09 05:14 AM
Jump to solution

IPS update has been replaced. It is now safe to update.

View solution in original post

14 Replies
_Val_
Admin
Admin
‎2020-07-09 12:10 AM
Jump to solution

"zdebug" is a macros that only sends debug flags to fw module, if used without additional efforts, as "fw ctl zdebug drop". In R80.x fw module does not do much. You need to debug KISS and UP.

It is better to involve TAC in your case.

0 Kudos
Ruan_Kotze
Advisor
‎2020-07-09 12:12 AM
Jump to solution

Thanks for this - got several customers affected by this.  Can confirm that disabling the protection restores internet access.

0 Kudos
_Val_
Admin
Admin
‎2020-07-09 12:15 AM
In response to Ruan_Kotze
Jump to solution

Please raise TAC case for this, thanks

0 Kudos
Ruan_Kotze
Advisor
‎2020-07-09 12:33 AM
In response to _Val_
Jump to solution

Hi All,

Have engaged TAC - but also received the following update from my CP SE:

The problematic updates are:
634204548 or 635204548

The impact:
- After IPS update, many drops observed (via fw ctl zdebug + drop on CLI)
dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: TLS_PARSER
- The following may be seen in /var/log/messages:
kernel: [fw4_4];ips_gen_dyn_log: malware_policy_global_send_log() failed
- High CPU utilization and traffic impact

Short term remediation:
1. Re-enable IPS on the gateway object if it was disabled as a workaround.

2. Ensure that updates are not set to automatic gateway updates. (See sk120255 for more info)
a. Open Gateway Object in SmartConsole
b. Go to IPS tab (blade must be enabled)
c. Under "IPS Update Policy" select "Use IPS management updates"

3. Revert to previous good IPS database update
a. Under the "Security Policies" tab, select Threat Prevention or IPS policy
b. Under "Threat Tools" (left hand side) select "Updates"
c. Click the arrow next to "Update Now" and select "Switch to version..."
d. Select a previous version that is not 634204548 or 635204548 and click "Switch" (note it may take some time for the previous versions to populate if there are many previous versions. Look at the top right of the dialogue box where it says "# items")
e. Update will be pushed to gateways
f. Clear any scheduled updates from the "scheduled updates" option

4. Turn on IPS on the gateway if "IPS off" command was used to disable IPS via the CLI and test traffic.

Best practices for updates and IPS implementation:
This document (while it is specified for R80.10, it is still relevant for newer versions) contains our best practices recommendations about IPS profile implementation, and update best practices. https://sc1.checkpoint.com/documents/Best_Practices/IPS_Best_Practices/CP_R80.10_IPS_Best_Practices/...

Alternately, disabling TLS parsing for IPS is a secondary workaround. However, this degrades IPS protections and is therefore not the recommended path at this time. Nonetheless, if customers are experiencing severe issues, they can use this command on the gateway:
fw ctl set int tls_parser_enable 0

0 Kudos
Vincent_Bacher
Advisor
Advisor
‎2020-07-09 05:22 AM
In response to Ruan_Kotze
Jump to solution

We were facing this issue at a customers installation today as well.
After opening sr we got update, that IPS versions 634204548 or 635204548 are affected. We reverted to 635204525 and the issue persisted.

As we did not want to try and error we now have disabled this protection and now the issue is gone for now.

Now we're waiting for the next update (and reply from sr owner)

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
_Val_
Admin
Admin
‎2020-07-09 01:00 AM
Jump to solution

Hello, we are aware of the issue and are working to provide a fix for it.

Meanwhile, if you are affected, please use the following steps for short term remediation:


1. Re-enable IPS on the gateway object if it was disabled as a workaround.

2. Ensure that updates are not set to automatic gateway updates. (See sk120255 for more info)

a. Open Gateway Object in SmartConsole
b. Go to IPS tab (blade must be enabled)
c. Under "IPS Update Policy" select "Use IPS management updates"

3. Revert to previous good IPS database update

a. Under the "Security Policies" tab, select Threat Prevention or IPS policy
b. Under "Threat Tools" (left hand side) select "Updates"
c. Click the arrow next to "Update Now" and select "Switch to version..."
d. Select a previous version that is not 634204548 or 635204548 and click "Switch" (note it may take some time for the previous versions to populate if there are many previous versions. Look at the top right of the dialogue box where it says "# items")
e. Update will be pushed to gateways
f. Clear any scheduled updates from the "scheduled updates" option

4. Turn on IPS on the gateway if "IPS off" command was used to disable IPS via the CLI and test traffic.

 

Alternately, disabling TLS parsing for IPS is a secondary workaround. However, this degrades IPS protections and is therefore not the recommended path at this time. Nonetheless, if customers are experiencing severe issues, they can use this command on the gateway:

fw ctl set int tls_parser_enable 0

 

0 Kudos
Danny
Champion Champion
Champion
‎2020-07-09 01:31 AM
In response to _Val_
Jump to solution

🤐

0 Kudos
Rahul_Borah
Contributor
‎2020-07-09 04:17 AM
Jump to solution

I am also facing the same issue after active the OpenSSL Padding Oracle Information Disclosure (CVE-2016-210).

After disabling this protection resolves the issue.

 

Regards,

R.B

0 Kudos
_Val_
Admin
Admin
‎2020-07-09 05:14 AM
Jump to solution

IPS update has been replaced. It is now safe to update.

Eduardo_Eiros
Contributor
‎2020-07-09 09:19 AM
In response to _Val_
Jump to solution

Hello

First question: in which package is the IPS protection CPAI-2016-0349 updated and fixed?

Second question: why is not an official advisory regarding this issue? Impact has been huge

Regards

StackCap43382
Collaborator
Collaborator
‎2020-07-09 10:48 AM
In response to _Val_
Jump to solution

Anyone having this update propagate?

I'm mashing update and still 635204548.

CCSME, CCTE, CCME, CCVS
0 Kudos
Albert_Wilkes
Collaborator
‎2020-07-09 08:22 AM
Jump to solution

Just FYI

Due to the high performance impact this will affect customers with a "strict" or custom IPS profile only:

 

image.png

 

Oddly enough my colleague's lab system has this very protection as "low confidence"

 
0 Kudos
phlrnnr
Advisor
‎2020-07-09 08:47 AM
Jump to solution

Yeah, that was a nasty one.

0 Kudos
Danny
Champion Champion
Champion
‎2020-07-10 02:29 AM
In response to phlrnnr
Jump to solution

Check Point has finally released sk167939 which describes the issue and solution.
It also outlines that Check Point will improve their QA testing.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events