Sign in / up

back to article Happy New Year: Jan 1, 2021 security cert expiration causes havoc for some Check Point VPN users

It wasn't the best of New Year's Day mornings for some Check Point customers; in addition to possible hangovers, those who lagged with their patching had been left with inoperable systems and a tough fix ahead for some. On January 1, 2021, a certificate used for outdated Check Point Remote Access VPN clients and Endpoint …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Phil O'Sophical Silver badge
    Facepalm

    Surprised, much?

    others have been unable to apply the patch due to organizational policies,

    Sounds like the kind of companies which require passwords to be 27 non-alphabetic characters and changed every 3 weeks, etc. Ludicrously unrealistic policies in the name of "security", yet they don't even bother to work out how to apply essential patches when required.

    14 1 Reply
  2. MiguelC Silver badge
    Thumb Down

    Absolutely no sympathy for those companies

    They had a year and a half to apply a security patch.

    And if they overlook a critical system that eventually makes the entire company grind to a halt, how many more systems do they keep outdated and insecure?

    9 1 Reply
  3. Blackjack Silver badge

    Fix available for a year... people still did not use it

    Is stuff like this that justifies Windows 10 forcing updates down your throat.

    1 1 Reply
  4. Robert Carnegie Silver badge

    "We are shipping new laptops to our executive and support teams"

    Ha ha ha ha ha ha ha ha. Serves you right.

    But don't the executives just get an Etch-a-Sketch, I didn't know those were affected... I must check mine.

    2 0 Reply
  5. Mike 137 Silver badge

    " a fix available since August, 2019"

    All too common. Encryption is a good thing!

    Key management? What's that?

    1 0 Reply
    1. stiine Silver badge
      Reply Icon

      Re: " a fix available since August, 2019"

      So, have the root DNSSEC keys been successfully changed yet?

      0 0 Reply
  6. Anonymous Coward
    Anonymous Coward

    not fully true

    Checkpoint is trying get away in a jiffy.

    I have been using checkpoint products since last 5+ years. The "fix" was released in Aug'19, but it was never labelled as a "fix" before Dec 26, 2020. Moreover the patch that would fix the issue in the affected version would have to be requested to TAC and not publicly available (as on 30 Dec).

    I had taken up the Dec 28th email notification with checkpoint account mgmt. and confirmed no such notification sent before 28th Dec..

    This was a last minute warning sent across to all checkpoint customers on 28 Dec. This is a case of laxity on behalf of checkpoint.

    10 0 Reply
    1. Captain Scarlet
      Reply Icon
      Facepalm

      Re: not fully true

      Oh wow thats pretty bad, if they are going to throw their customers under the bus I can only see the losing their custom.

      3 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: not fully true

      This is why you always upgrade to the latest version* even if there are no listed 10-rated CVEs documented as fixed in the update.

      * - after thorough testing, of course.

      3 1 Reply
    3. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: not fully true

      Um, so who is running software beyond the end-of-support date...?

      That's an audit fail point, let alone "security" best-practice.

      Any vendor would have no obligation to fix this, but Check Point did.

      Count your blessings rather than throw stones...

      0 1 Reply
      1. Roland6 Silver badge
        Reply Icon

        Re: not fully true

        >Um, so who is running software beyond the end-of-support date...?

        Enterprise customers with current support contracts with Check Point, who naturally would have expected their "Account Manager" to have been proactive about contacting their customers on matters that would enhance their customer satisfaction rating - potentially also gaining a few license adjustments (£).

        2 0 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: not fully true

          > Enterprise customers with current support contracts with Check Point [...snip...]

          Just stay current, will you...? It is best practice, prevents problems like this, and can be done, even for the largest enterprises*.

          Every vendor I have worked with, not just Check Point, state somewhere in their EULA’s / direct support agreements that $PRODUCTS must be active according to their software / hardware life cycle. If not, you choose; upgrade to a supported version, buy a support extension or as in this case, hope they fix it anyway.

          (*= can be difficult with outsourced contracts / service providers when in the “milk the customer phase” and demanding extra $$$ to do what should be in the contract anyway**.)

          (**=not a fan of outsourcing IT either, but it can be done properly, if very rarely.)

          0 0 Reply
      2. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: not fully true

        Don't forget we've been in the middle of a pandemic for the last 9 months. Most organisations are now at the point where remote access VPN is the most critical function to support the fact most of there workers are currently remote and can do nothing without it. Knowing something is going end of life is one thing, but you dont expect it to go completly inoperable less than 6 months later, especially when its just a VPN client. This software was fully supported upto August 2020.

        2 0 Reply
        1. Roland6 Silver badge
          Reply Icon

          Re: not fully true

          >Don't forget we've been in the middle of a pandemic for the last 9 months.

          Clearly, TPTB at Checkpoint must exist in an alternative reality to have not figured out that the world had rapidly and radically changed for their customers back in May~June last year that was most probably why they had a surge in licence purchases, and so put out a timely customer-friendly update (ie. put out a certificate update through the normal update channels back in August or even in September~November, marked 'critical'.), along with a show yourself in a good light media fanfare...

          0 0 Reply
    4. AnonReader
      Reply Icon

      Re: not fully true

      I've read the release notes und support articles from Check Point (since my company was also affected by this surprise), but I and my colleagues can't find any hint, that the VPN client version will stop working after the end of support date. As far as I can find, only the end of support was early communicated. And surprisingly only at the end of December 2020 Check Point was sending updates to customers that the VPN client will stop working on Jan 1, 2021

      1 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like