Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
openvasCopyright (C) 2024 Greenbone AGOPENVAS:1361412562310152320
HistoryMay 29, 2024 - 12:00 a.m.

Check Point Firewall Detection Consolidation

2024-05-2900:00:00
Copyright (C) 2024 Greenbone AG
plugins.openvas.org
5
check point
firewall
detection
consolidation
ssh-login
snmp
http

AI Score

7.3

Confidence

Low

JSON

Consolidation of Check Point Firewall detections.

# SPDX-FileCopyrightText: 2024 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

include("plugin_feed_info.inc");

if (description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.152320");
  script_version("2024-07-03T06:48:05+0000");
  script_tag(name:"last_modification", value:"2024-07-03 06:48:05 +0000 (Wed, 03 Jul 2024)");
  script_tag(name:"creation_date", value:"2024-05-29 07:59:35 +0000 (Wed, 29 May 2024)");
  script_tag(name:"cvss_base", value:"0.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:N");

  script_tag(name:"qod_type", value:"remote_banner");

  script_name("Check Point Firewall Detection Consolidation");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2024 Greenbone AG");
  script_family("Product detection");
  script_dependencies("gb_checkpoint_fw_http_detect.nasl",
                      "check_point_fw1_secureremote_detect.nasl",
                      "gb_checkpoint_fw_ssh_login_detect.nasl");
  if(FEED_NAME == "GSF" || FEED_NAME == "GEF" || FEED_NAME == "SCM")
    script_dependencies("gsf/gb_checkpoint_fw_snmp_detect.nasl",
                        "gsf/gb_checkpoint_fw_sslextender_http_detect.nasl");
  script_mandatory_keys("checkpoint/firewall/detected");

  script_tag(name:"summary", value:"Consolidation of Check Point Firewall detections.");

  script_xref(name:"URL", value:"https://www.checkpoint.com/");

  exit(0);
}

if (!get_kb_item("checkpoint/firewall/detected"))
  exit(0);

include("cpe.inc");
include("host_details.inc");
include("os_func.inc");

detected_version = "unknown";
detected_build = "unknown";
location = "/";

# nb: Currently no version extracted from SSL Network Extender Portal or FireWall-1 (FW-1)
foreach source (make_list("ssh-login", "snmp", "http")) {
  version_list = get_kb_list("checkpoint/firewall/" + source + "/*/version");
  foreach version (version_list) {
    if (version != "unknown" && detected_version == "unknown") {
      detected_version = version;
      break;
    }
  }

  build_list = get_kb_list("checkpoint/firewall/" + source + "/*/build");
  foreach build (build_list) {
    if (build != "unknown" && detected_build == "unknown") {
      detected_build = build;
      set_kb_item(name: "checkpoint/firewall/build", value: build);
      break;
    }
  }
}

os_cpe = build_cpe(value: tolower(detected_version), exp: "^(r[0-9.]+)", base: "cpe:/o:checkpoint:gaia_os:");
if (!os_cpe)
  os_cpe = "cpe:/o:checkpoint:gaia_os";

# nb: Since `R80` released in around 2016 it seems the devices are only running Gaia so we're only
# registering this here for now.
os_register_and_report(os: "Check Point Gaia", cpe: os_cpe, runs_key: "unixoide",
                       desc: "Check Point Firewall Detection Consolidation");

if (http_ports = get_kb_list("checkpoint/firewall/http/port")) {
  foreach port (http_ports) {
    extra += "HTTP(s) on port " + port + '/tcp\n';

    concluded = get_kb_item("checkpoint/firewall/http/" + port + "/concluded");
    if (concluded)
      extra += "  Concluded from version/product identification result: " + concluded + '\n';

    conclUrl = get_kb_item("checkpoint/firewall/http/" + port + "/concludedUrl");
    if (conclUrl)
      extra += "  Concluded from version/product identification location: " + conclUrl + '\n';

    register_product(cpe: os_cpe, location: location, port: port, service: "www");
  }
}

if (extender_ports = get_kb_list("checkpoint/firewall/ssl_extender/port")) {
  foreach port (extender_ports) {
    extra += "SSL Network Extender Portal via HTTP(s) on port " + port + '/tcp\n';

    concluded = get_kb_item("checkpoint/firewall/ssl_extender/" + port + "/concluded");
    if (concluded)
      extra += '  Concluded from version/product identification result:\n' + concluded + '\n';

    conclUrl = get_kb_item("checkpoint/firewall/ssl_extender/" + port + "/concludedUrl");
    if (conclUrl)
      extra += "  Concluded from version/product identification location: " + conclUrl + '\n';

    register_product(cpe: os_cpe, location: location, port: port, service: "www");
    register_product(cpe: os_cpe, location: location, port: port, service: "ssl-extender");
  }
}

if (snmp_ports = get_kb_list("checkpoint/firewall/snmp/port")) {
  foreach port (snmp_ports) {
    extra += "SNMP on port " + port + '/udp\n';

    concludedVers = get_kb_item("checkpoint/firewall/snmp/" + port + "/concludedSwVers");
    concludedVersOID = get_kb_item("checkpoint/firewall/snmp/" + port + "/concludedSwVersOID");
    if (concludedVers && concludedVersOID)
      extra += '  Version concluded from:     "' + concludedVers + '" via OID: "' + concludedVersOID + '"\n';

    concludedBuild = get_kb_item("checkpoint/firewall/snmp/" + port + "/concludedBuildVers");
    concludedBuildOID = get_kb_item("checkpoint/firewall/snmp/" + port + "/concludedBuildVersOID");
    if (concludedBuild && concludedBuildOID)
      extra += '  Build concluded from:       "' + concludedBuild + '" via OID: "' + concludedBuildOID + '"\n';

    register_product(cpe: os_cpe, location: location, port: port, service: "snmp", proto: "udp");
  }
}

if (ssh_login_ports = get_kb_list("checkpoint/firewall/ssh-login/port")) {
  foreach port (ssh_login_ports) {
    extra += "SSH login on port " + port + '/tcp\n';

    concluded = get_kb_item("checkpoint/firewall/ssh-login/" + port + "/concluded");
    if (concluded)
      extra += '  Concluded from version/product identification result:\n' + concluded + '\n';

    register_product(cpe: os_cpe, location: location, port: port, service: "ssh-login");
  }
}

if (fw1_topology_ports = get_kb_list("checkpoint/firewall/fw1_topology/port")) {
  foreach port (fw1_topology_ports) {
    extra += "FireWall-1 (FW-1) SecureRemote (SecuRemote) on port " + port + '/tcp\n';
    register_product(cpe: os_cpe, location: location, port: port, service: "fw1-topology");
  }
}

report = build_detection_report(app: "Check Point Firewall", version: detected_version,
                                build: detected_build, install: location, cpe: os_cpe);

if (extra) {
  report += '\n\nDetection methods:\n';
  report += '\n' + extra;
}

log_message(port: 0, data: chomp(report));

exit(0);

AI Score

7.3

Confidence

Low

JSON