A serious vulnerability was discovered in the Check Point Software that could allow an attacker elevate privileges and execute arbitrary code. Researchers spotted the flaw and reported it to Check Point who shortly after released a fix for it.
Researchers from SafeBreach Labs have found a security flaw in Check Point Software. As elaborated in their blog post, they noticed this flaw in Check Point’s Endpoint Security Initial Client software for Windows.
According to the researchers, there existed a privilege escalation vulnerability in the software targeting the Check Point Endpoint Agent (CPDA.exe) and Check Point Device Auxiliary Framework (IDAFServerHostService.exe).
Elaborating why the flaw existed, the researchers stated,
"We found that once the Check Point Device Auxiliary Framework Service (IDAFServerHostService.exe) was started, the IDAFServerHostService.exe signed process was executed as NT AUTHORITY\SYSTEM. Once executed, the service tries to load the atl110.dll Library (“ATL Module for Windows”) library… a missing DLL file from different directories within the PATH environment variable."
Due to the absence of the respective DLL, it became possible for an attacker to write the missing DLL file and execute codes. Presenting the PoC for the exploit, the researchers stated,
"We were able to load an arbitrary DLL as a regular user and execute our code within a process which is signed by Check Point as NT AUTHORITY\SYSTEM."
Upon exploit, the vulnerability could allow an attacker to load and execute malicious code while bypassing whitelisting, ensure persistent mechanism of execution with each system reboot, and gain SYSTEM privileges to the target machine.
Researchers reported the vulnerability to Check Point on August 1, 2019. Following their report, Check Point eventually patched the flaw on August 27, 2019, by releasing an updated version. Thus, the users must ensure updating their systems to the latest patched version of Check Point Enterprise Endpoint Security E81.30. Recently, SafeBreach Labs also reported a privilege escalation vulnerability in Bitdefender Antivirus Free 2020.
READ FULL ARTICLE