Checkpoint

Local attacker can escalate privileges on affected installations of Check Point Harmony Endpoint/ZoneAlarm Extreme Security

CVE-2023-28134 7.8 - High - November 12, 2023

Local attacker can escalate privileges on affected installations of Check Point Harmony Endpoint/ZoneAlarm Extreme Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Incorrect Permission Assignment for Critical Resource

Local user may lead to privilege escalation using Gaia Portal hostnames page.

CVE-2023-28130 7.2 - High - July 26, 2023

Local user may lead to privilege escalation using Gaia Portal hostnames page.

Command Injection

Local privilege escalation in Check Point Endpoint Security Client (version E87.30)

CVE-2023-28133 7.8 - High - July 23, 2023

Local privilege escalation in Check Point Endpoint Security Client (version E87.30) via crafted OpenSSL configuration file

Incorrect Permission Assignment for Critical Resource

The IPsec VPN blade has a dedicated portal for downloading and connecting through SSL Network Extender (SNX)

CVE-2022-23746 7.5 - High - November 30, 2022

The IPsec VPN blade has a dedicated portal for downloading and connecting through SSL Network Extender (SNX). If the portal is configured for username/password authentication, it is vulnerable to a brute-force attack on usernames and passwords.

Improper Restriction of Excessive Authentication Attempts

Check Point ZoneAlarm Extreme Security before 15.8.211.19229 allows local users to escalate privileges

CVE-2022-41604 8.8 - High - September 27, 2022

Check Point ZoneAlarm Extreme Security before 15.8.211.19229 allows local users to escalate privileges. This occurs because of weak permissions for the %PROGRAMDATA%\CheckPoint\ZoneAlarm\Data\Updates directory, and a self-protection driver bypass that allows creation of a junction directory. This can be leveraged to perform an arbitrary file move as NT AUTHORITY\SYSTEM.

Improper Privilege Management

A potential memory corruption issue was found in Capsule Workspace Android app (running on GrapheneOS)

CVE-2022-23745 7.5 - High - July 18, 2022

A potential memory corruption issue was found in Capsule Workspace Android app (running on GrapheneOS). This could result in application crashing but could not be used to gather any sensitive information.

Memory Corruption

Check Point Endpoint before version E86.50 failed to protect against specific registry change which

CVE-2022-23744 2.3 - Low - July 07, 2022

Check Point Endpoint before version E86.50 failed to protect against specific registry change which allowed to disable endpoint protection by a local administrator.

The Check Point Gaia Portal's GUI Clients allowed authenticated administrators with permission for the GUI Clients settings to inject a command

CVE-2021-30361 6.7 - Medium - May 11, 2022

The Check Point Gaia Portal's GUI Clients allowed authenticated administrators with permission for the GUI Clients settings to inject a command that would run on the Gaia OS.

Shell injection

Check Point ZoneAlarm before version 15.8.200.19118 allows a local actor to escalate privileges during the upgrade process

CVE-2022-23743 7.8 - High - May 11, 2022

Check Point ZoneAlarm before version 15.8.200.19118 allows a local actor to escalate privileges during the upgrade process. In addition, weak permissions in the ProgramData\CheckPoint\ZoneAlarm\Data\Updates directory allow a local attacker the ability to execute an arbitrary file write, leading to execution of code as local system, in ZoneAlarm versions before v15.8.211.192119

Improper Privilege Management

Users have access to the directory where the installation repair occurs

CVE-2021-30360 7.8 - High - January 10, 2022

Users have access to the directory where the installation repair occurs. Since the MS Installer allows regular users to run the repair, an attacker can initiate the installation repair and place a specially crafted EXE in the repair folder which runs with the Check Point Remote Access Client privileges.

DLL preloading

Mobile Access Portal Native Applications who's path is defined by the administrator with environment variables may run applications

CVE-2021-30358 7.2 - High - October 19, 2021

Mobile Access Portal Native Applications who's path is defined by the administrator with environment variables may run applications from other locations by the Mobile Access Portal Agent.

Shell injection

SSL Network Extender Client for Linux before build 800008302 reveals part of the contents of the configuration file supplied, which

CVE-2021-30357 5.3 - Medium - June 08, 2021

SSL Network Extender Client for Linux before build 800008302 reveals part of the contents of the configuration file supplied, which allows partially disclosing files to which the user did not have access.

Generation of Error Message Containing Sensitive Information

A denial of service vulnerability was reported in Check Point Identity Agent before R81.018.0000, which could

CVE-2021-30356 8.1 - High - April 22, 2021

A denial of service vulnerability was reported in Check Point Identity Agent before R81.018.0000, which could allow low privileged users to overwrite protected system files.

Check Point Endpoint Security Client for Windows before version E84.20

CVE-2020-6021 7.8 - High - December 03, 2020

Check Point Endpoint Security Client for Windows before version E84.20 allows write access to the directory from which the installation repair takes place. Since the MS Installer allows regular users to run the repair, an attacker can initiate the installation repair and place a specially crafted DLL in the repair folder which will run with the Endpoint clients privileges.

DLL preloading

Check Point Endpoint Security for Windows before E84.10 can reach denial of service during clean install of the client

CVE-2020-6015 5.5 - Medium - November 05, 2020

Check Point Endpoint Security for Windows before E84.10 can reach denial of service during clean install of the client which will prevent the storage of service log files in non-standard locations.

Check Point Endpoint Security Client for Windows

CVE-2020-6014 6.5 - Medium - November 02, 2020

Check Point Endpoint Security Client for Windows, with Anti-Bot or Threat Emulation blades installed, before version E83.20, tries to load a non-existent DLL during a query for the Domain Name. An attacker with administrator privileges can leverage this to gain code execution within a Check Point Software Technologies signed binary, where under certain circumstances may cause the client to terminate.

Untrusted Path

Check Point ZoneAlarm before version 15.8.139.18543

CVE-2020-6022 5.5 - Medium - October 27, 2020

Check Point ZoneAlarm before version 15.8.139.18543 allows a local actor to delete arbitrary files while restoring files in Anti-Ransomware.

Check Point ZoneAlarm before version 15.8.139.18543

CVE-2020-6023 7.8 - High - October 27, 2020

Check Point ZoneAlarm before version 15.8.139.18543 allows a local actor to escalate privileges while restoring files in Anti-Ransomware.

Check Point Security Management's Internal CA web management before Jumbo HFAs R80.10 Take 278, R80.20 Take 160, R80.30 Take 210, and R80.40 Take 38

CVE-2020-6020 6.4 - Medium - September 24, 2020

Check Point Security Management's Internal CA web management before Jumbo HFAs R80.10 Take 278, R80.20 Take 160, R80.30 Take 210, and R80.40 Take 38, can be manipulated to run commands as a high privileged user or crash, due to weak input validation on inputs by a trusted management administrator.

Improper Input Validation

ZoneAlarm Anti-Ransomware before version 1.0.713 copies files for the report from a directory with low privileges

CVE-2020-6012 7.4 - High - August 04, 2020

ZoneAlarm Anti-Ransomware before version 1.0.713 copies files for the report from a directory with low privileges. A sophisticated timed attacker can replace those files with malicious or linked content, such as exploiting CVE-2020-0896 on unpatched systems or using symbolic links. This allows an unprivileged user to enable escalation of privilege via local access.

insecure temporary file

A denial of service vulnerability was reported in Check Point Endpoint Security Client for Windows before E82.10

CVE-2019-8463 7.5 - High - December 23, 2019

A denial of service vulnerability was reported in Check Point Endpoint Security Client for Windows before E82.10, that could allow service log file to be written to non-standard locations.

insecure temporary file

Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH location on a clean image without Endpoint Client installed

CVE-2019-8461 7.8 - High - August 29, 2019

Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH location on a clean image without Endpoint Client installed. An attacker can leverage this to gain LPE using a specially crafted DLL placed in any PATH location accessible with write permissions to the user.

Untrusted Path

Check Point Endpoint Security Client for Windows

CVE-2019-8458 4.4 - Medium - June 20, 2019

Check Point Endpoint Security Client for Windows, with Anti-Malware blade installed, before version E81.00, tries to load a non-existent DLL during an update initiated by the UI. An attacker with administrator privileges can leverage this to gain code execution within a Check Point Software Technologies signed binary, where under certain circumstances may cause the client to terminate.

Improper Input Validation

Check Point Endpoint Security Client for Windows

CVE-2019-8459 9.8 - Critical - June 20, 2019

Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without using quotes in the path. This can cause loading of a previously placed executable with a name similar to the parts of the path, instead of the intended one.

Unquoted Search Path or Element

A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security client for Windows before E80.96 to any file on the system will get its permission changed so

CVE-2019-8452 7.8 - High - April 22, 2019

A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security client for Windows before E80.96 to any file on the system will get its permission changed so that all users can access that linked file. Doing this on files with limited access gains the local attacker higher privileges to the file.

Permission Issues

A hard-link created from the log file of Check Point ZoneAlarm up to 15.4.062 to any file on the system will get its permission changed so

CVE-2019-8455 7.1 - High - April 17, 2019

A hard-link created from the log file of Check Point ZoneAlarm up to 15.4.062 to any file on the system will get its permission changed so that all users can access that linked file. Doing this on files with limited access gains the local attacker higher privileges to the file.

Permission Issues

Some of the DLLs loaded by Check Point ZoneAlarm up to 15.4.062 are taken from directories where all users have write permissions

CVE-2019-8453 5.5 - Medium - April 17, 2019

Some of the DLLs loaded by Check Point ZoneAlarm up to 15.4.062 are taken from directories where all users have write permissions. This can allow a local attacker to replace a DLL file with a malicious one and cause Denial of Service to the client.

Untrusted Path

Check Point IKEv2 IPsec VPN up to R80.30, in some less common conditions, may

CVE-2019-8456 5.9 - Medium - April 09, 2019

Check Point IKEv2 IPsec VPN up to R80.30, in some less common conditions, may allow an attacker with knowledge of the internal configuration and setup to successfully connect to a site-to-site VPN server.

Permissions, Privileges, and Access Controls

Check Point ZoneAlarm version 15.3.064.17729 and below expose a WCF service

CVE-2018-8790 7.8 - High - March 01, 2019

Check Point ZoneAlarm version 15.3.064.17729 and below expose a WCF service that can allow a local low privileged user to execute arbitrary code as SYSTEM.

NOTE: this issue has been disputed by the vendor

CVE-2009-1227 - April 02, 2009

NOTE: this issue has been disputed by the vendor. Buffer overflow in the PKI Web Service in Check Point Firewall-1 PKI Web Service allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) Authorization or (2) Referer HTTP header to TCP port 18624. NOTE: the vendor has disputed this issue, stating "Check Point Security Alert Team has analyzed this report. We've tried to reproduce the attack on all VPN-1 versions from NG FP2 and above with and without HFAs. The issue was not reproduced. We have conducted a thorough analysis of the relevant code and verified that we are secure against this attack. We consider this attack to pose no risk to Check Point customers." In addition, the original researcher, whose reliability is unknown as of 20090407, also states that the issue "was discovered during a pen-test where the client would not allow further analysis.

Buffer Overflow

The Auto Local Logon feature in Check Point VPN-1 SecuRemote/SecureClient NGX R60 and R56 for Windows caches credentials under the Checkpoint\SecuRemote registry key, which has Everyone/Full Control permissions, which

CVE-2008-0662 7.8 - High - February 08, 2008

The Auto Local Logon feature in Check Point VPN-1 SecuRemote/SecureClient NGX R60 and R56 for Windows caches credentials under the Checkpoint\SecuRemote registry key, which has Everyone/Full Control permissions, which allows local users to gain privileges by reading and reusing the credentials.

Incorrect Permission Assignment for Critical Resource

ZoneAlarm and ZoneAlarm Pro

CVE-2001-0682 5.5 - Medium - August 29, 2001

ZoneAlarm and ZoneAlarm Pro allows a local attacker to cause a denial of service by running a trojan to initialize a ZoneAlarm mutex object which prevents ZoneAlarm from starting.

Improper Locking