This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Thin
Contributor
‎2020-09-10 04:55 AM

Signature for CVE-2020-1968

Jump to solution

Hello

Is it possible to have a signature for CVE-2020-1968 in Check Point IPS?

I think it cannot because Check Point cannot inspect a key between a connection.

If you have more information, please recommend me.

 

Thank you.

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend
Legend
‎2020-09-10 07:42 AM

Jump to solution

Are you sure you need it ? The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v) (From https://nvd.nist.gov/vuln/detail/CVE-2020-1968).

According to CP sk92447 Status of OpenSSL, GAiA uses at least version 1.1.0d.

CCSE CCTE SMB Specialist

View solution in original post

2 Replies
G_W_Albrecht
Legend
Legend
‎2020-09-10 07:42 AM

Jump to solution

Are you sure you need it ? The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v) (From https://nvd.nist.gov/vuln/detail/CVE-2020-1968).

According to CP sk92447 Status of OpenSSL, GAiA uses at least version 1.1.0d.

CCSE CCTE SMB Specialist
PhoneBoy
Admin
Admin
‎2020-09-12 03:05 PM

Jump to solution

Given that a key is being reused across multiple connections, I don’t believe this is feasible to write a signature for.
However, that’s just my personal take.