CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 7 of 7

Thread: Intel CPU kernel bug FAQ: Fix for massive security flaw could slow down PCs and Macs

  1. #1
    Join Date
    2006-09-26
    Posts
    3,068
    Rep Power
    15

    Default Intel CPU kernel bug FAQ: Fix for massive security flaw could slow down PCs and Macs

    Anyone know how this will impact Intel based checkpoint appliances and Intel Open Servers running GAIA R77.30: https://www.pcworld.com/article/3245...ts-pc-mac.html

  2. #2
    Join Date
    2014-09-02
    Posts
    327
    Rep Power
    10

    Default Re: Intel CPU kernel bug FAQ: Fix for massive security flaw could slow down PCs and M

    Please don't read this as an argument that this shouldn't be a concern. Rather, it's just the perspective of an optimist interested in avoiding unnecessary knee-jerk reactions...

    While I won't claim any insight into the vulnerability itself (as details are fortunately being held back publicly until fixes are available), I tend not to worry about it too much on the firewall end. I'll explain why, and invite lively discussion (as long it's not just argumentative for the purpose of being argumentative). I'm sure Check Point will have their own response very soon, either confirming or refuting my take on things, and offering explanations, advice, and recommendations as necessary.

    It was very common 20 years ago to run CP firewalls on Solaris and Windows. While it may sound absurd today, IPSO was in it's infancy, and Linux/Splat/Gaia weren't yet options. When IPSO did become readily available, it's advantage wasn't security, but rather VRRP (for clustering without StoneBeat), better routing, and improved stability. Yes, obscurity leads to fewer exploits (see MacOS and OSX), but simplicity also makes an OS less susceptible to vulnerabilities. The biggest PITA with Windows NT was the memory leaks (and other common issues) which led to needing to reboot every other week or so. While the more complex "server" operating systems may have had plenty of security holes, a good firewall policy (or even just a simple stealth rule) should protect the OS itself.

    I bring that up, because I expect (and yes, this may be just wishful thinking) that this current CPU vulnerability will be less of a concern for the common firewall. Simple stateful inspection makes decisions without really allowing for code or data to enter the CPU in a meaningful way. A simple policy blocking or accepting traffic shouldn't open a CPU up to much. Maybe the key is to think of the firewall as somewhat of a "closed system".

    I expect (without and data on this particular issue to back me up) that this vulnerability will be of great concern on systems/OS's that allow arbitrary code execution, like standalone PC's, servers, [Intel-based] tablets, and cloud environments like AWS and Azure.

    That said, it will be interesting to hear details of the vulnerability, and whether it can be exploited by data that finds its way into the kernel. That could be interesting for blades like AV/DLP/etc. Again, I don't expect this to be an issue, but even if it is, it should be patchable. I'll definitely be keeping a close eye on things.

    -E

  3. #3
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,103
    Rep Power
    12

    Default Re: Intel CPU kernel bug FAQ: Fix for massive security flaw could slow down PCs and M

    Check Point just posted their response to this:

    sk122205: Check Point Response to Meltdown and Spectre (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754)
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  4. #4
    Join Date
    2006-09-26
    Posts
    3,068
    Rep Power
    15

    Default Re: Intel CPU kernel bug FAQ: Fix for massive security flaw could slow down PCs and M

    Quote Originally Posted by ShadowPeak.com View Post
    Check Point just posted their response to this:

    sk122205: Check Point Response to Meltdown and Spectre (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754)
    I am bothered by this statement in sk122205 : Since code execution privileges on Check Point appliances is to be provided to administrators only, these privilege escalation attacks are of lower relevance to Check Point appliances.

    Does it mean that running checkpoint GAIA on open servers is not the same as running on Checkpoint appliances? After all, they both use Intel CPUs

  5. #5
    Join Date
    2007-06-04
    Posts
    3,249
    Rep Power
    15

    Default Re: Intel CPU kernel bug FAQ: Fix for massive security flaw could slow down PCs and M

    Quote Originally Posted by cciesec2006 View Post
    I am bothered by this statement in sk122205 : Since code execution privileges on Check Point appliances is to be provided to administrators only, these privilege escalation attacks are of lower relevance to Check Point appliances.

    Does it mean that running checkpoint GAIA on open servers is not the same as running on Checkpoint appliances? After all, they both use Intel CPUs
    Would put down to poor English ( anyone that done the exams will know where coming from! )

    I would suspect that as this a HARDWARE CPU vulnerability as opposed to a straight OS level that responding around the Appliances as Check Point supply those, whereas they don't supply the Dell/HP/IBM etc Systems.

    In terms of this vulnerability then Gaia on OpenServer and Gaia on Appliance should be the same in terms of response.

  6. #6
    Join Date
    2014-09-02
    Posts
    327
    Rep Power
    10

    Default Re: Intel CPU kernel bug FAQ: Fix for massive security flaw could slow down PCs and M

    Quote Originally Posted by mcnallym View Post
    In terms of this vulnerability then Gaia on OpenServer and Gaia on Appliance should be the same in terms of response.
    Agreed. As incorrect as it may be, Check Point often seems to refer to "open server" as another form of "Check Point appliance". Maybe they see an open server install as assimilating the device, and making it effectively a Check Point box.

    -E

  7. #7
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    122
    Rep Power
    11

    Default Re: Intel CPU kernel bug FAQ: Fix for massive security flaw could slow down PCs and M

    Quote Originally Posted by cciesec2006 View Post
    Anyone know how this will impact Intel based checkpoint appliances and Intel Open Servers running GAIA R77.30: https://www.pcworld.com/article/3245...ts-pc-mac.html
    Code execution is required for these attacks to do anything.

    These attacks exploit intended behavior in almost all modern processors related to branch prediction and speculative execution. The mechanism of action is fascinating.

    Modern processors use very long instruction pipelines. They have to keep the pipeline filled to work efficiently and at speed. One trick employed since the 90s has been branch prediction. Take this simple branch:

    if (condition A)
    then { run code B }
    else { run code C }

    With branch prediction, the processor will guess one of the branches (or both in some cases), then start executing it before the conditional test has returned. When the conditional returns, the work is either continued or discarded. The problem is the processor already read some data into its cache to start running the branch it guessed. That cache does not get flushed if the branch is not selected. This is working as designed, because the security implications of leaving the cache data were not really considered. Essentially, they let you use the processor's cache as a proxy to read arbitrary target memory from other processes.



    There should be no impact on firewalls. They aren't supposed to be executing arbitrary code which passes through them. If they do, that is the security flaw more than what an attacker can do with that privilege.

    The impact on virtualization hosting platforms is significant. With these attacks, one process can read memory which belongs to another process. On VM hosting platforms, "processes" are entire VMs. This could be significant for externally-hosted systems (read: on "cloud" providers) as well as for local VMs you intend to run arbitrary code (read: threat emulation boxes).

    On external hosting environments, you don't control (or even know) what other customers of the provider have VMs on the same host you do. An attacker can use a stolen credit card to pay for thousands of small AWS instances which will end up distributed across a large number of hosts. The attacker could then use these attacks from all of the guests to read memory from your guest. This kind of attack cannot be effectively targeted without insider knowledge, but an attacker is likely to find at least some valuable data everywhere he looks. "Cloud" hosting is incredibly expensive, so companies don't spin up VMs for no reason.

    On threat emulation systems, this could conceivably be used to find information about the host which could allow something in the guest to compromise it. This risk exists, but is probably minimal.
    Zimmie

Similar Threads

  1. security management slow when creating objects.
    By ottavio in forum Intermediate
    Replies: 0
    Last Post: 2012-10-23, 05:58
  2. Internet Slow Through Security Gateway
    By ktsummey in forum Miscellaneous
    Replies: 3
    Last Post: 2010-05-28, 17:41
  3. Intel 10GbE XF Adapter on 2.6 kernel
    By gregg_martian in forum Interoperability
    Replies: 0
    Last Post: 2009-01-14, 22:45
  4. a flaw in the VPN-Checkpoint setup?
    By Jahk Nah Rai in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 9
    Last Post: 2006-06-14, 19:07
  5. Massive data input
    By prsepulv in forum SmartDashboard
    Replies: 2
    Last Post: 2006-05-13, 09:49

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •