-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi, this is the solution for the compilation erros after upgrade smart
defense on R55.
Hello All,
I would like to sum up the events of the last day:
Yesterday evening, we published the wrong update on the site. Instead of
the correct one, we published a version that is still in development,
and includes some extra additions to the "HTTP Clients
Protections->Microsoft Internet Explorer" section.
The error was discovered and corrected within one hour, and the correct
package was placed on the site.
however, customers using R55 who have downloaded the update between
20:00 and 21:00 (approximately) yesterday (IL summer time) would run
into policy compilation problems, due to a syntax error found in the new
code.
*To correct the syntax error:
*1. Edit the $FWDIR/conf/inspect.C file on the management, and replace
the line:
: ("ADP_MSIE_BLOCK_COM_MS06021 or ADP_MSIE_AJAX_COLLECTGARBAGE or
ADP_MSIE_BLOCK_ACTIVEX or ADP_MSIE_BLOCK_HHCTRL or ADP_BLOCK_UTF8 or\")
with:
: ("ADP_MSIE_BLOCK_COM_MS06021 or ADP_MSIE_AJAX_COLLECTGARBAGE or
ADP_MSIE_BLOCK_ACTIVEX or ADP_MSIE_BLOCK_HHCTRL or ADP_BLOCK_UTF8 or \")
(add a blank before the '\').
2. Make the same change in $FWDIR/lib/updates.def - i.e. replace the line:
ADP_MSIE_BLOCK_COM_MS06021 or ADP_MSIE_AJAX_COLLECTGARBAGE or
ADP_MSIE_BLOCK_ACTIVEX or ADP_MSIE_BLOCK_HHCTRL or ADP_BLOCK_UTF8 or\
with:
ADP_MSIE_BLOCK_COM_MS06021 or ADP_MSIE_AJAX_COLLECTGARBAGE or
ADP_MSIE_BLOCK_ACTIVEX or ADP_MSIE_BLOCK_HHCTRL or ADP_BLOCK_UTF8 or \
This should resolve the compilation problem for R55 customers who
experience it. In addition, users (of all versions) who have performed a
database revision before the update and have the "problematic" update
(see below how to identify it) are advised to revert their database and
re-apply the update (the update on the site now should be the correct
one). Customers who did not perform a database revision control before
the update, can choose one of the following alternatives:
1) Using GUIDBEdit, change the value of asm_update_version (under
Managed Objects->asm->AdvancedSecurityObject) to -1, and re-apply the
update. Do not turn on the new checkboxes under HTTP Clients
Protections->Microsoft Internet Explorer until the next update.
2) Another option is to manually delete the new defenses from the
$FWDIR/conf/asm.C. The section that should be deleted are the following:
: (
:attrib_default_val (false)
:attrib_desc ("Block COM Object Instantiation Memory
Corruption Vulnerability (MS06-042)")
:attrib_scheme_name (MSIE_BLOCK_COM_MS06042)
:attrib_value (false)
:show_attrib (true)
:support_by_version ()
:type (boolean)
:AdminInfo (
:ClassName (boolean_dyn_attrib)
:chkpf_uid ("{F4D6A934-1B7D-495B-9BFB-2CA12940B4AC}")
)
)
: (
:attrib_default_val (false)
:attrib_desc ("Block CSS Memory Corruption Vulnerability
(MS06-042)")
:attrib_scheme_name (MSIE_BLOCK_CSS)
:attrib_value (false)
:show_attrib (true)
:support_by_version ()
:type (boolean)
:AdminInfo (
:ClassName (boolean_dyn_attrib)
:chkpf_uid ("{11E8ADB4-5507-4f5A-B5F9-B06222504772}")
)
)
: (
:attrib_default_val (false)
:attrib_desc ("Block MS Internet Explorer MHTML Parsing
Vulnerability (MS06-043)")
:attrib_scheme_name (MSIE_BLOCK_MHTML2)
:attrib_value (false)
:show_attrib (true)
:support_by_version ()
:type (boolean)
:AdminInfo (
:ClassName (boolean_dyn_attrib)
:chkpf_uid ("{67F94B67-3B65-4B7F-A383-58D8F987B058}")
)
)
: (
:attrib_default_val (false)
:attrib_desc ("Block MMC Redirect Cross-Site Scripting
Vulnerability (MS06-044)")
:attrib_scheme_name (MSIE_BLOCK_MMC)
:attrib_value (false)
:show_attrib (true)
:support_by_version ()
:type (boolean)
:AdminInfo (
:ClassName (boolean_dyn_attrib)
:chkpf_uid ("{72A5A95B-1190-499A-9BC7-805E811B4EC3}")
)
)
: (
:attrib_default_val (false)
:attrib_desc ("Block Folder GUID Code Execution
Vulnerability (MS06-045)")
:attrib_scheme_name (MSIE_BLOCK_WEBDAV)
:attrib_value (false)
:show_attrib (true)
:support_by_version ()
:type (boolean)
:AdminInfo (
:ClassName (boolean_dyn_attrib)
:chkpf_uid ("{F7A1C45C-31B6-422F-B03E-56AD319BF6C4}")
)
)
: (
:attrib_default_val (false)
:attrib_desc ("Block MS Internet Explorer daxctle.ocx
Heap Overflow")
:attrib_scheme_name (MSIE_BLOCK_HEAP)
:attrib_value (false)
:show_attrib (true)
:support_by_version ()
:type (boolean)
:AdminInfo (
:ClassName (boolean_dyn_attrib)
)
)
(lines 52-128 in a default asm.C file - however, line umbers may change).
3) A third option is to delete these new checkboxes using GUIDBEdit:
- - Go to Managed Objects->asm->AdvancedSecurityObject, and search for
each of the 6 protections listed below (the name of the defense, as
listed below, should appear in the value field).
- - 2 lines above the defense name, there's a line that says: "owned
object". Right-click on it, and choose delete. Do that for all 6 defenses.
*How to identify that you have the problemtic update:
*The problemtic update contains the following 6 new checkboxes in the
"HTTP Client Protection->Internet Explorer" tab, that the correct one
does not have:
Block COM Object Instantiation Memory Corruption Vulnerability (MS06-042)
Block CSS Memory Corruption Vulnerability (MS06-042)
Block MS Internet Explorer MHTML Parsing Vulnerability (MS06-043)
Block MMC Redirect Cross-Site Scripting Vulnerability (MS06-044)
Block Folder GUID Code Execution Vulnerability (MS06-045)
Block MS Internet Explorer daxctle.ocx Heap Overflow
Saludos,
Alvaro Gastambide Lusiardo
Check Point Certified Security Administrator - MCSA
Dpto. de IngenierĂa
Security Advisor
www.sadvisor.com
Crist Clark wrote:
>>>> On 9/14/2006 at 9:37 AM, Alvaro Gastambide <[EMAIL PROTECTED]> wrote:
>>>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Hi, i update Smart Defense on Chk NG R55 and then i get compilation
>> errors when i install the Policy.
>>
>> Any idea ? Thanks.!!!!
>>
>
> I'm seeing the same thing. Running NG R55 on Solaris. No one
> has manually touched .def files for months or years. The only
> ones modified are ones touched by Smart Defense.
>
> Here's an example of errors,
>
> # fwm load canada-internet.pf atlas
> canada-internet:
> "/opt/CPfw1-R55/lib/base.def", line 662: ERROR: syntax error
> "/opt/CPfw1-R55/lib/crypt.def", line 46: ERROR: unknown macro or function
> <RECORD_CONN_EX>
> "/opt/CPfw1-R55/lib/crypt.def", line 63: ERROR: unknown macro or function
> <RECORD_CONN_EX>
> "/opt/CPfw1-R55/lib/crypt.def", line 71: ERROR: unknown macro or function
> <RECORD_CONN_EX>
> "/opt/CPfw1-R55/lib/base.def", line 1111: ERROR: unknown macro or function
> <USER_PASS_CONNECTION>
> "/opt/CPfw1-R55/lib/base.def", line 1123: ERROR: unknown macro or function
> <USER_PASS_CONNECTION_SCV>
> "/opt/CPfw1-R55/lib/base.def", line 2786: ERROR: unknown macro or function
> <RECORD_CONN_EX>
> "canada-internet.pf", line 6179: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6179: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6179: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6179: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6179: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6179: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6179: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6179: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6179: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6179: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6179: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6179: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6179: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6179: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6179: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6179: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6179: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6179: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6179: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6179: ERROR: syntax error
> "canada-internet.pf", line 6180: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6180: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6180: ERROR: unknown macro or function
> <USER_PASS_CONNECTION>
> "canada-internet.pf", line 6184: ERROR: unknown macro or function <PROXY_DO>
> "canada-internet.pf", line 6187: ERROR: unknown macro or function
> <USER_PASS_CONNECTION>
> "canada-internet.pf", line 6191: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6193: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6195: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6202: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6210: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6225: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6231: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6241: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6247: ERROR: unknown macro or function
> <RECORD_CONN>
> "canada-internet.pf", line 6253: ERROR: unknown macro or function
> <RECORD_CONN>
> Compilation Failed.
>
>
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)
iQEVAwUBRQsTAcXBZiD6GXNyAQgvfwgAiVUs1m+iqKUAn9skS0jzNXnJvYqqNeSX
484GT34nV64xvQBNqDU/8j2YGpVOIQ2OzVtN1Kb3AisYPgvWMm71+ot1nt5562it
0VjPo+71Y/uoqq9o/Pm3OSpg6nefX1NZM+GvhAD6pmbzNCO/UxqJn+DPP+a6K24z
g5hVNaEX+OJQayZe5x2zfcMNVJSSorYh1nED4SxwAug0QSOoS28zO0s7WVa3JHji
q5DhnacsXbqCE0rVKyr0YABsQ7hQTfR9JcgCj4quB0Av8yTq1UsqitiT1TEZ2g63
puHnGoJlGDGoDiYcsY/+Z9S+XCynuyRZVY2yuXDdIduft3IhmvQUkg==
=RGTu
-----END PGP SIGNATURE-----
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
