This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Masek
Contributor
Tuesday

Zero Phishing and IOS 18.4: Captive Portal Problem

Hi,

if you have R82 and Zero Phishing active on a gateway (I know,  not the most common setup), you may run into a problem I just had.

An iPhone or an iPad updated to IOS 18.4 will no longer be able to connect to a WIFI that is secured by a firewall described above.

The culprit in this case: Zero Phishing:

curl http://captive.apple.com/`

[HTML>[HEAD>[TITLE>Success[/TITLE>[/HEAD><BODY><script nonce="***">var zphInj="***"[/script>[script nonce="***" src='http://zero-phishing.iaas.checkpoint.com/zph/token_generator.php?api_key={***}' crossorigin>[/script>[script nonce="***" src='https://zerophishing.iaas.checkpoint.com/3/zp.js?api_key={***}' defer crossorigin>[/script>Success[/BODY>[/HTML>

(info: replaced all "<" by "[" to be able to post)

Prior to IOS 18.4, my iPhone had no problem with that reply, but with IOS 18.4 it hangs with this screen:

Masek_0-1743524984283.png

It no longer recognizes the "SUCCESS" due to the SCRIPT-Tag from Zero Phishing.

I don't need a solution, disabling the blade was a quick fix. I know how to create exceptions.

But I guess this will hit several people who don't know what hit them. As the update on IOS triggers this, I looked in Apple's direction first (and not completely wrong to do so). I opened an SR to give CP a heads up as I will not be the last one to stumble over this.

JHF was 12 in my case.

Yours, Martin

 

I don't know where I'm going, but I'm on my way
4 Replies
PhoneBoy
Admin
Admin
Tuesday

Appreciate you sharing this tidbit in case others run into it.
Hopefully it will be addressed in a future JHF.

0 Kudos
Masek
Contributor
Tuesday
In response to PhoneBoy

I am quite optimistic on that. This will cause a lot of SR cases. Advised my contacts in the support team on the incoming wave. I‘m glad I ran into this one early, so it may do some good. 

I don't know where I'm going, but I'm on my way
0 Kudos
Sören
Employee
Employee
5 hours ago
In response to Masek

The workaround is to add an exception to the threat prevention policy.


1. Under "Custom Applications/Categories" -> Application/Site -> Create an object for example: AppleCaptive
2. Add "captive.apple.com" to the Application object "AppleCaptive".

Bildschirmfoto 2025-04-03 um 13.57.51.png

3. Create an exception

Bildschirmfoto 2025-04-03 um 14.01.28.png

 

0 Kudos
(1)
Masek
Contributor
5 hours ago
In response to Sören

As I wrote, I know how to create an exception. This post was meant as something Google finds when you're looking for the problem. This has the potential to keep less experienced admins to scratch their heads 😁.

I don't know where I'm going, but I'm on my way
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events