Happy New Year: Jan 1, 2021 security cert expiration causes havoc for some Check Point VPN users
Outdated clients stop working, organizations with thousands of end-points told to switch out .sys files
It wasn't the best of New Year's Day mornings for some Check Point customers; in addition to possible hangovers, those who lagged with their patching had been left with inoperable systems and a tough fix ahead for some.
On January 1, 2021, a certificate used for outdated Check Point Remote Access VPN clients and Endpoint services expired. The security biz has had a fix available since August, 2019, but some of the company's customers appear to have missed the memo and others have been unable to apply the patch due to organizational policies, leaving users of affected software unable to connect over the network.
Check Point issued a reminder last week, noting Endpoint/VPN E80.81 to E81.10 (Windows only) and SandBlast agent E80.61 to E81.10 (Windows only) – all no longer supported – are living on borrowed time.
"These out of support versions will cease to operate starting January 1st, 2021," the company said. "Starting that date, following a reboot of the computer, Remote Access VPN and Endpoint Security Client versions E81.10 (inclusive) and lower may stop functioning, and the upgrade will fail."
Australia sues Facebook for slurping user data from Onavo Protect VPN appREAD MORE
Such snafus appear to be underway. A reader wrote to The Register to report that the organization where this individual is employed has seen some 1,600 laptops allocated to remote users lose the ability to connect to the network as a result of the certificate expiration. The 2MB client-side patch, we're told, replaces an existing .SYS file without the involvement of an administrator – an intervention not allowed at this governmental entity.
"At this moment, our IT department is in free fall," the reader said in an email to The Register. "We are shipping new laptops to our executive and support teams. We have live bridge calls with Check Point teams in Tel Aviv and the US."
"If nothing else changes, we will have staff out of work for days while we find and deploy new laptops to them, bring the existing borked laptops back to base for rebuild. We don't have any other remote access tools that can get around the inability to be on the VPN."
To remedy the situation, the organization needs an .EXE or .MSI patch. Distributing a patch directly to users that require administrative credentials or a local admin password isn't an option due to organizational security rules.
Similar concerns have been posted in response to Check Point's advisory last week.
Check Point in its reminder post emphasized this is an urgent issue because Firewall, VPN, and Endpoint client services may stop working.
The security biz said it has been contacting customers after observing that many of them haven't yet updated their old versions of its software. While Check Point aimed to get in touch with laggards before the New Year, it evidently hasn't managed to reach everyone.
"The issue is only relevant to customers who do not adhere to our software support guidance," a Check Point forum admin observed. "However, we do see signs of those unsupported versions still running out there."
In response to The Register's inquiry about how many customers have yet to apply the patch, a spokesperson for Check Point made inquiries to the company's engineering team in Israel, but didn't expect an immediate answer owing to the time difference.
"We are aware of some expired versions of some of our products," Check Point's spokesperson said. "Our teams are working to communicate with customers to make sure they’re up to date." ®