Preemptive Protection against TLS and SSL Spoofing Vulnerability

Vulnerability
Protection

Check Point Reference:	CPAI-2010-020
Date Published:
Preemptive Since:
Severity:
Last Updated:
Source:	Microsoft Security Advisory (977377) Microsoft Security Bulletin MS10-049
Industry Reference(s):	CVE-2009-3555
Protection Provided by:	Security Gateway R70 VPN-1 NGX R65 VSX NGX R65
Who is Vulnerable? Microsoft Windows 2000 SP4 Windows XP SP2 Windows XP SP3 Windows XP Professional x64 Edition SP2 Windows Server 2003 SP2 Windows Server 2003 x64 Edition SP2 Windows Server 2003 with SP2 (Itanium) Windows Vista Windows Vista SP1 Windows Vista SP2 Windows Vista x64 Edition Windows Vista x64 Edition SP1 Windows Vista x64 Edition SP2 Windows Server 2008 for 32-bit Systems Windows Server 2008 for 32-bit Systems SP2 Windows Server 2008 for x64-based Systems Windows Server 2008 for x64-based Systems SP2 Windows Server 2008 (Itanium) Windows Server 2008 (Itanium) SP2 Windows 7 for 32-bit Systems Windows 7 for x64-based Systems Windows Server 2008 R2 for x64-based Systems Windows Server 2008 R2 (Itanium)
Vulnerability Description Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are cryptographic protocols that provide security for communications over networks. TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end. A spoofing vulnerability exists in multiple implementations of these protocols. The TLS and SSL protocols fail to properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL. A remote attacker can leverage this vulnerability to execute an HTTP transaction authenticated by a legitimate user.

Vulnerability Details
The vulnerability is due to the flaw in the renegotiation aspect of the TLS protocol. A remote attacker may exploit this issue by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context. Successful exploitation of this issue may allow the attacker to execute a man-in-the-middle attack.

Protection Overview
This protection will detect and block attempts to exploit this vulnerability.
The TLS Renegotiation protection detects and blocks all TLS renegotiation traffic.
The TLS Client Initiated Renegotiation protection detects and blocks client initiated TLS renegotiation requests.
No update is required to address this vulnerability.

Users are protected against this vulnerability if the protection against SSL and TLS Protocols Renegotiation Vulnerability found in the Protection section of SBP-2009-23 has been applied.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Application Intelligence > VPN Protocols > SSL and TLS.
2. In the right pane, double-click the TLS Renegotiation and TLS Client Initiated Renegotiation protections.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: SSL and TLS Protocol Protection
Attack Information:
TLS renegotiation
TLS client initiated renegotiation

VPN-1 NGX R65 & VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > VPN Protocols > SSL and TLS.
2. Select the following protections:

TLS Renegotiation
TLS Client Initiated Renegotiation

3. In the configuration pane, under Settings > Mode, check Active.
4. Install policy on all modules.

Legal Notice for Threat Center Advisories