Check Point vulnerability: Still only a good half of all systems patched

The security vulnerability in the VPN gateway products of the Israeli IT security provider Check Point Security has still not been patched for many users in Germany. The Federal Office for Information Security BSI and the Federal Office for the Protection of the Constitution BfV are calling on administrators to install available updates more quickly – including for Outlook and Codesys.

Of the 1,700 or so users of Check Point security gateway products identified, only around half had installed the update that has been available for weeks and closes the critical security gap. This was reported by BfV Vice President Sinan Selene on Wednesday at the Potsdam Conference on National Cyber Security at the Hasso Plattner Institute.

The Federal Office for Information Security and the Federal Office for the Protection of the Constitution have been working on the incident at the CDU headquarters for almost three weeks now. Neither the BSI nor the BfV have yet attributed the attack to specific possible perpetrators. The gap can be used to compromise calendar data, contacts and emails, among other things, if the configuration is unfavorable. Other access options also depend on the conditions and security mechanisms in the respective networks.

CISOs should take responsibility

BfV Vice President Sinan Selen referred to updates that have been available for a long time but are often not installed or are only installed after a long delay. This applies not only to the Check Point vulnerability, but also to Outlook vulnerabilities or Codesys V3 vulnerabilities, for example, where patches are also available. He expects IT security officers to ask the responsible administrators: "Where do we actually stand?" Selen warns of troubled times for companies and public bodies.

KRITIS companies have not yet reached the turning point

The current situation is well summarized with concerned faces, said Selen. Germany is the focus of research activities. This not only applies to the democratic parties, all of which are currently attracting attention. Many KRITIS companies have also not yet arrived in the new era, said BfV Vice President Selen. Heise online had already reported last week that at least two other successful attacks had taken place in critical sectors other than the CDU via the Check Point vulnerability.

In Potsdam-Griebnitzsee, Claudia Plattner, President of the Federal Office for Information Security, also called for significantly faster and more consistent updates. The number of unpatched systems is simply too high - 37,000 vulnerable Exchange servers are a major problem. Plattner combined this with a call for further automation in IT.

(anw)