CVE-2020-6024 Overview
Check Point SmartConsole is vulnerable to a local privilege escalation vulnerability due to improper directory permissions. The application executes binaries from a directory where all authenticated users have write access, allowing a low-privileged attacker to place malicious executables that will be run with elevated privileges.
Critical Impact
Local attackers can escalate privileges to gain full system control by placing malicious executables in a writable directory used by SmartConsole.
Affected Products
- Check Point SmartConsole before R80.10 Build 185
- Check Point SmartConsole R80.20 before Build 119
- Check Point SmartConsole R80.30 before Build 94
- Check Point SmartConsole R80.40 before Build 415
- Check Point SmartConsole R81 before Build 548
Discovery Timeline
- 2021-01-20 - CVE CVE-2020-6024 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-6024
Vulnerability Analysis
This vulnerability stems from insecure directory permissions in Check Point SmartConsole installations. The application is configured to execute binaries from a directory that grants write access to all authenticated users on the system. This design flaw enables privilege escalation attacks where any authenticated user can place a malicious executable in the vulnerable directory path.
When SmartConsole or its components execute binaries from this directory, they may run with elevated privileges. An attacker with local access can exploit this by placing a crafted executable that matches the expected filename, which will then be executed with the application's privileges rather than the attacker's limited permissions.
The vulnerability is classified under CWE-114 (Process Control) and CWE-269 (Improper Privilege Management), reflecting both the execution control weakness and the broader privilege management failure.
Root Cause
The root cause is improper access control configuration on directories used by SmartConsole for executable binaries. The installation process or default configuration grants write permissions to all authenticated users on directories that contain or are searched for executable files. This violates the principle of least privilege, as directories containing executables should only be writable by administrators.
Attack Vector
This is a local attack vector requiring authenticated access to the target system. The attack scenario involves:
- An attacker with low-privileged local access identifies the writable directory used by SmartConsole
- The attacker crafts a malicious executable designed to perform privileged operations
- The malicious executable is placed in the vulnerable directory, named to match expected binaries
- When SmartConsole executes, it loads and runs the attacker's malicious code with elevated privileges
- The attacker gains escalated permissions on the system
The vulnerability does not require user interaction beyond having authenticated access to the system, making it straightforward to exploit once local access is obtained.
Detection Methods for CVE-2020-6024
Indicators of Compromise
- Unexpected or newly created executables in SmartConsole installation directories
- Executables with recent modification timestamps that differ from the original installation
- Process execution anomalies where SmartConsole spawns unexpected child processes
- File system audit logs showing write operations to protected directories by non-administrative users
Detection Strategies
- Monitor file integrity of SmartConsole installation directories using file integrity monitoring (FIM) tools
- Configure Windows audit policies to log file creation and modification events in the SmartConsole directory
- Deploy endpoint detection rules to alert on executable writes to SmartConsole paths by non-admin users
- Use SentinelOne's behavioral AI to detect anomalous process execution chains originating from SmartConsole
Monitoring Recommendations
- Enable detailed file system auditing on SmartConsole installation directories
- Implement real-time alerting for any executable file changes in application directories
- Monitor for privilege escalation patterns using endpoint detection and response (EDR) solutions
- Review authentication logs for unusual local access patterns to systems running SmartConsole
How to Mitigate CVE-2020-6024
Immediate Actions Required
- Update Check Point SmartConsole to the patched versions immediately: R80.10 Build 185+, R80.20 Build 119+, R80.30 Build 94+, R80.40 Build 415+, or R81 Build 548+
- Audit current directory permissions on SmartConsole installations and restrict write access to administrators only
- Review systems for signs of exploitation before applying patches
- Implement application whitelisting to prevent unauthorized executable execution
Patch Information
Check Point has released security updates addressing this vulnerability. Refer to the Check Point Support Solution sk142952 for official patch information and download links.
The following minimum build versions contain the fix:
- R80.10 Build 185
- R80.20 Build 119
- R80.30 Build 94
- R80.40 Build 415
- R81 Build 548
Workarounds
- Manually restrict write permissions on SmartConsole installation directories to administrators only
- Implement application control policies to prevent execution of unsigned or unknown binaries
- Use Windows Software Restriction Policies or AppLocker to limit executable runs in vulnerable directories
- Consider network segmentation to limit local access to systems running SmartConsole
# Configuration example - Restrict directory permissions (Windows PowerShell)
# Review and restrict ACLs on SmartConsole directories
$path = "C:\Program Files (x86)\CheckPoint\SmartConsole"
$acl = Get-Acl $path
# Remove write permissions for authenticated users, retain only admin access
# Consult Check Point documentation for specific directory paths
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
