Vulnerability in TrueVector module of Check Point’s ZoneAlarm firewall allows network internal attacks

Reports of critical security flaws in multiple deployments keep appearing. The most recent one refers to a critical vulnerability in the TrueVector Internet Monitor service, installed as part of the Check Point’s ZoneAlarm firewall. According to the network perimeter security expert in charge of the report, the exploitation of this flaw allows local threat actors to modify permissions on arbitrary local files, accessing their contents and obtaining high privileges in the target system.

After receiving the report, the company began the flaw verification process, detecting that the issue resides in ZoneAlarm Free Firewall v15.8.023.18219/TrueVector Internet Monitor v15.8.7.18219.

According to the network perimeter security report, the compromised service runs as LocalSystem and periodically creates a large number of backup files in the %ProgramData%\CheckPoint\ZoneAlarm\Data\ folder; when creating these files, permissions are set in the Full Control for Authenticated Users setting. A local threat actor might create a hardlink with the same name as the backup files, causing modification to the permissions of another file.

Insecure permissions set to backup files
SOURCE: Securify

After modifying the file’s permissions, threat actors can overwrite the content and eventually obtain high privileges on the vulnerable device. As if that were not enough, everything that hackers require for creating a hardlink is a tool available in any hacking forum.

For the fix of this flaw, Check Point released ZoneAlarm Free Firewall v15.8.043.18324, which contains the necessary updates to mitigate this vulnerability. The network perimeter security specialist mentioned that the latest Windows 10 update includes mitigations for hardlink attacks, so this operating system now requires write access to the target file. Otherwise, the hardlink creation process will not be completed. Requiring write access to the target file can also avoid this inconvenience.

For more information on recently encountered security flaws, exploits, cyberattacks, and malware analysis, you can visit the official website of the International Institute of Cyber Security (IICS), as well as the official sites of tech companies.