There have been identified 3 related vulnerabilities found in the Linux Kernel. Whilst Check Point provide their own Customised Operating System in the form of Gaia and Gaia Embedded the underlying Operating System that Check Point customise and harden is Linux based.
The Linux kernel is vulnerable to an integer overflow in the 16 bit width of TCP_SKB_CB(skb)->tcp_gso_segs. A remote attacker could exploit this to crash the system and create a Denial Of Service.
The Linux kernel is vulnerable to a flaw that allows attackers to send a crafted sequence of SACKs which will fragment the TCP retransmission queue. An attacker might be able to further exploit the fragmented queue to cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection. This could cause the CPU to spend excessive time attempting to reconstruct the list creating a Denial Of Service.
The Linux kernel is vulnerable to a flaw that allows attackers to send a crafted packets with low MSS values to trigger excessive resource consumption. An attacker can force the Linux kernel to segment its responses into multiple TCP segments, each of which contains only 8 bytes of data. This drastically increases the bandwidth required to deliver the same amount of data. Further, it consumes additional resources (CPU and NIC processing power). This attack requires continued effort from the attacker and the impacts will end shortly after the attacker stops sending traffic. While this attack is ongoing, the system will work at reduced capacity resulting in a Denial Of Service for some users.
Of these then Check Point products are only vulnerable to the first two vulnerabilities. Check Point products are not vulnerable to the third vulnerability due to Check Point using different code release in the Kernel Compilation that does not contain the vulnerability.
- CVE-2019-11477 - The following releases are vulnerable:
- R80.10 Security Management on Smart-1 appliances
- R80.20 Security Management
- R80.30 Security Management
- R80.20_3.10 (CloudGuard)
- R80.30_3.10 (16000/26000)
- SMB (700/1400/1200R)
- CVE-2019-11478 - All Check Point releases are vulnerable (as this already exists in Linux for many years).
- CVE-2019-11479 - Check Point is not vulnerable to this CVE (Check Point do not compile with the vulnerable code).
Check Point are in the process of delivering patches as part of their Jumbo Hotfix Availability releases and the current status is as follows
- R77.30 Security Management and Gateway - Jumbo Hotfix Accumulator for R77.30 (R77_30_jumbo_hf) - Take_351 (and higher).
- R80.10 Security Management and Gateway - Download and install R80.10 TCP SACK PANIC Hotfix.
The Hotfix should be installed on top of R80.10 JHF Take_203.
- R80.20 Security Management and Gateway - Jumbo Hotfix Accumulator for R80.20 (R80_20_jumbo_hf) Take_87 (and higher).
- R80.30 Security Management and Gateway - Jumbo Hotfix Accumulator for R80.30 (R80_30_jumbo_hf) - Take_19 (and higher).
- R80.20_3.10 (CloudGuard) - In progress.
- R80.30_3.10 (16000/26000) - In progress.
- Maestro - Jumbo Hotfix Accumulator for R80.20SP - Take_105 (and higher).
- SMB (700/1400/1200R) - Contact Check Point Support to get a Hotfix for this issue. A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
- High End (R76SP) - Jumbo Hotfix Accumulator for R76SP.50 - Take_196 (and higher) .
Please note that the installation of Jumbo Hotfix Accumulators will require reboots of the Appliance being patched.
Please also note that other then for R80.10 then these Jumbo Hotfix Accumulators are Ongoing and not General Availability and so will not show up under the CPUSE section of the GAiA Portal for updating.
If you decide to patch with the Ongoing Jumbo Hotfix Accumulator then you will need to use the above links to go to the appropriate SK article for the release Jumbo Hotfix Accumulator and get the Identifier to add to the CPUSE manually.
Is the Knowledgebase Article that Check Point have published and as they update further patches then this is where they will be updating the information.
It is expected that these patches will become part of the General Availability Jumbo Hotfix Accumulators and that will be updated on the above Knowledgebase Article.
600/1100 Appliances Only:
For Customers using 600/1100 Check Point SMB Appliances then you are advised to upgrade to R77.20.80
and then raise a Support Call to obtain the necessary patch to protect the 600/1100 Appliance.
Work Around Mitigation:
Until a code fix is available for the release you are using, it is advised to disable the TCP SACK feature system wise, at least for internet-facing machines.
Log in to Expert mode and run the following:
echo 0 > /proc/sys/net/ipv4/tcp_sack
In order to make the change persistent after reboot, add the following lines in /etc/rc.local (for SMB /pfrm2.0/etc/platformInit should be used instead of /etc/rc.local):
#Disable TCP SACK
sysctl -w net.ipv4.tcp_sack=0
Note: Disabling SACK can have an impact on performance (depending on the packet-loss rate) for the local connections only.
Once you deploy the Patches via the Jumbo Hotfix Accumulator or the Patch for the SMB Appliances then you should remove these from the Systems.
To reverse, run:
echo 1 > /proc/sys/net/ipv4/tcp_sack
If you added the "#Disable TCP SACK" lines suggested above for making the changes persistent after reboot, remove them after installing the fix
Written by Michael McNally, TSC Network & Security Consultant