Critical vulnerability discovered in Check Point firewall

Web application security specialists report the discovery of a critical vulnerability in a Check Point software solution that, if exploited, would allow a threat actor to perform a privilege escalation to execute arbitrary code with administrator privileges. The company has already been notified and is working to eliminate this security risk.

The SafeBreach Labs team of experts in charge of this discovery mentions that the vulnerability was detected in the Endpoint Security Initial Client software, developed for the Windows operating system. The flaw appears to affect Endpoint Agent (CPDA.exe) and Device Auxiliary Framework (IDAFServerHostService.exe).

Once IDAFServerHostService.exe starts, the signed process runs as NT AUTHORITY-SYSTEM. After it runs, the service attempts to load the atl110.dll library, a missing DLL from different directories within the PATH environment variable. Due to the absence of the respective DLL, an attacker can write the missing DLL and execute arbitrary codes. In the release of the proof-of-concept, web application security experts mentioned: “We were able to load an arbitrary DLL as a normal user and execute our code within a Check Point-signed process such as NT AUTHORITY-SYSTEM”.

As if it were not enough, after exploitation, the vulnerability could allow a threat actor to load and execute malicious code by bypassing the list of authorized entities and processes (whitelist), as well as ensuring a persistent mechanism of execution to get privileges on the targeted system.

According to web application security experts from the International Institute of Cyber Security (IICS), researchers reported the vulnerability to Check Point in early August; finally, the flaw was corrected a couple of days ago through the release of an update. Check Point issued a security alert asking its users to deploy the updates. Customers are encouraged to verify that if the system has the latest update, Check Point Endpoint Security E81.30.

In addition to this report, SafeBreach Labs experts published a report on privilege escalation vulnerability in the Bitdefender Antivirus Free 2020 security tool. The developers of this antivirus are expected to release an update as soon as possible.