Check Point response to OpenSSL CVE-2022-0778 (possible infinite loop when parsing ECDSA certificates/keys)

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk178411
Technical Level
Severity	High
Product	Site to Site VPN, Remote Access VPN, Mobile Access / SSL VPN, HTTPS Inspection, Quantum Security Management, Multi-Domain Security Management, Quantum Edge, Quantum Scalable Chassis, Quantum Maestro, Quantum Spark Appliances, CloudGuard Network for AWS
Version	R80.40, R81, R81.10, R81.20
Date Created	17-Mar-2022
Last Modified	20-Dec-2022

Symptoms

A vulnerability was found in OpenSSL, making it possible to trigger an infinite loop by crafting a certificate with invalid explicit curve parameters. Because certificate parsing occurs before verification of the certificate signature, a process that parses an externally supplied certificate could be subject to a denial of service attack.
For more information, refer to CVE-2022-0778.
The indications of the issue are:
- High CPU use
- Stuck processes and services

Solution

This problem was fixed. The fix is included starting from:

Hotfixes for OpenSSL CVE-2022-0778 are provided on top of:

R81.10 Jumbo Hotfix Accumulator General Availability Take 30
R81 Jumbo Hotfix Accumulator General Availability Take 58 and Take 60
R80.40 Jumbo Hotfix Accumulator General Availability Take 154
R80.30 Gateway with Gaia 3.10 Jumbo Hotfix Accumulator General Availability Take 246
R80.30 Jumbo Hotfix Accumulator General Availability Take 246
R80.20 Jumbo Hotfix Accumulator General Availability Take 205

Check Point is working on new Jumbo Hotfix Accumulators with a fix for this issue. This SecureKnowledge article will be updated accordingly.
This issue does not apply to SMB appliances running Gaia Embedded R77.20.xx.

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating