Check Point VPND IKE Fragment Handling Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the VPN service of Check Point Security Gateways and Spark Firewalls. This issue arises when the service improperly processes an unexpected IKE fragment value on the IKE port 500/UDP during the initial stages of a connection attempt. The mishandling can lead to an unexpected termination of the service, causing a temporary disruption in VPN functionality. However, existing IPsec tunnels remain unaffected.

Impact

Exploitation of this vulnerability causes the VPN service to terminate unexpectedly, disrupting VPN-related functionality. While the service is automatically restarted by a Check Point WatchDog service, this issue can still lead to a temporary loss of VPN connectivity.

Remediation

To address this vulnerability, users can upgrade to the following versions: Check Point Security Gateways can upgrade to the Jumbo Hotfix Accumulator for R82.10 starting from Take 19, for R82 starting from Take 103, or for R81.20 starting from Take 141. For Spark Firewalls, the upgrade should be to R81.10.17 or R82.00.10. Additionally, users can enable the IPS protection 'IKE Unsigned Underflow' in Protection mode to mitigate the issue.