CheckPoint’s Firewall systems at risk of Shellshock Bash attacks

Companies should check whether their CheckPoint system’s has the widespread vulnerability

The Shellshock Bash bug was found in a typical CheckPoint system’s Admin panel (WebUI), opening up the possibility that many more of the business information security systems could be vulnerable if attacked.

The vulnerability exist at the CheckPoint firewall system’s administrative WebUI, DHCP component and more firewall’s system modules and affected all the CheckPoint Firewall’s versions of the Gaia, SecurePlatform, SecurePlatform 2.6, IPSO 6.2 and Gaia Embedded platforms and all appliance lines: 2012 models, Smart-1, Threat Emulation, UTM-1, Power-1

The bug uncovered this week in a widely used component of Linux, Unix and Mac OS X was found in the largest firewall vendor’s – CheckPoint Admin panel. Alexey Baltacov, Network Security Architect at Frogteam|Security, said Sunday “Because many vendors use similar servers, the vulnerability is likely widespread”.

Baltacov declined to expose the vulnerable path in the system but also said:

“I’m pretty sure that there are a bunch of them (vendors), if not a lot of them, that you can be also exploitable”.


A CheckPoint OS platform and the Admin panel, which often runs on Unix or Linux, is the main component of a CheckPoint Firewall system for managing and configuring the firewall hardware in the organization.

Many CheckPoint Firewalls hardware and servers run GNU Bash, which is the component with the critical flaw.

Bash, which stands for Bourne Again Shell, is the default command shell for the operating system.
The bug lets an attacker trick Bash into executing malicious command code by sending it via the Common Gateway Interface, an underlying component of the CheckPoint firewall’s administrative interface.

Eran Goldstein, Senior Cyber security and malware researcher at ZIMPERIUM said:

“Depending on the architecture of the firewall system, an attacker could manage and reconfigure all firewall hardware and  servers and gain access to a company’s internal network. Even if he you don’t have the username and password (for the Firewall server’s admin panel), he still can exploit the vulnerability. Also, once inside the firewall system’s admin panel, an hacker could infect components inside the organization network and IT environment.”


Security researchers reported Thursday that hackers were trying to exploit Shellshock in Web servers. On Friday, firewall vendor Incapsula reported that in a 12-hour period, it recorded 725 attacks per hour against a total of 1,800 domains.

“This is pretty high for a single vulnerability,” Tim Matthews, vice president of marketing at Incapsula, said.

The attacks originated from 400 unique IP addresses. More than half of the attacks started from China and the U.S.

In general, the attackers were running automated scripts from compromised servers in existing botnets in an attempt to add more systems to the network. Several botnet operators were using re-purposed distributed denial of service (DDoS) bots in an attempt to exploit Shellshock.

Checkpoint respond in the company official website:

The OS WebUI may be susceptible to environment changes caused by the Shellshock exploit. At the time of Sep 2014, Check Point is not aware of any exploit on its solutions.


From CheckPoint website:

A Hotfix package is currently available for R75.40, R75.40VS, R75.45, R75.46, R75.47, R76, R77, R77.10, and R77.20.

This Hotfix package is relevant to the main appliances lines: 2012 models, Smart-1, Threat Emulation, UTM-1, Power-1. For other appliances, see the relevant section below.

For other versions – R65, R70.20, R71.20, R75.10, R75.20 and R75.30, use the Early Availability (EA) solution below. A General Availability (GA) solution will be published within the week of September 29th.




Credit: Frogteam|Security

One thought on “CheckPoint’s Firewall systems at risk of Shellshock Bash attacks

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s