CVE-2023-28133: Checkpoint Endpoint Security Privilege Escalation

CVE-2023-28133 Overview

CVE-2023-28133 is a local privilege escalation vulnerability in Check Point Endpoint Security Client version E87.30 for Windows. The vulnerability allows a local attacker to escalate privileges on the system through a crafted OpenSSL configuration file. This vulnerability is classified under CWE-732 (Incorrect Permission Assignment for Critical Resource), indicating improper access control over sensitive configuration files.

Critical Impact
A local attacker with low privileges can exploit this vulnerability to gain elevated system privileges by manipulating the OpenSSL configuration file, potentially leading to complete system compromise.

Affected Products

Check Point Endpoint Security Client version E87.30 for Windows
checkpoint endpoint_security (cpe:2.3:a:checkpoint:endpoint_security:e87.30:*:*:*:*:windows:*:*)

Discovery Timeline

2023-07-23 - CVE-2023-28133 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2023-28133

Vulnerability Analysis

This local privilege escalation vulnerability exists due to incorrect permission assignment for critical resources in the Check Point Endpoint Security Client. The flaw allows local attackers to exploit improper file permission controls on OpenSSL configuration files used by the endpoint security software.

The vulnerability requires local access and user interaction to exploit, but no special privileges are needed to initiate the attack. Once exploited, an attacker can achieve full compromise of confidentiality, integrity, and availability on the affected system. The attack is confined to the vulnerable system's scope without enabling broader network propagation.

Root Cause

The root cause of this vulnerability is CWE-732: Incorrect Permission Assignment for Critical Resource. The Check Point Endpoint Security Client does not properly restrict write access to the OpenSSL configuration file location. This allows unprivileged users to place a malicious configuration file that will be processed by privileged processes, leading to arbitrary code execution in an elevated context.

Attack Vector

The attack vector for CVE-2023-28133 is local, requiring the attacker to have access to the target system. The exploitation process involves:

The attacker identifies the location where the Check Point Endpoint Security Client reads its OpenSSL configuration
Due to improper permission assignments, the attacker can create or modify the OpenSSL configuration file
The attacker crafts a malicious OpenSSL configuration file that includes directives to load arbitrary code
When a privileged Check Point process loads the OpenSSL library, it reads the malicious configuration
The malicious configuration causes code to execute with the elevated privileges of the Check Point process

The vulnerability exploits the fact that OpenSSL configuration files can specify dynamic engine modules to be loaded, and when processed by a privileged service, can result in privilege escalation.

Detection Methods for CVE-2023-28133

Indicators of Compromise

Unexpected modifications to OpenSSL configuration files in Check Point installation directories
Creation of new .cnf or OpenSSL configuration files in writable locations searched by the client
Suspicious DLL or shared library files appearing alongside OpenSSL configurations
Unusual process spawning from Check Point Endpoint Security services with elevated privileges

Detection Strategies

Monitor file system activity for changes to OpenSSL configuration file paths used by Check Point software
Implement file integrity monitoring on Check Point Endpoint Security installation directories
Use endpoint detection and response (EDR) solutions to detect privilege escalation patterns from endpoint security processes
Enable Windows Security Event logging for file permission changes and process creation events

Monitoring Recommendations

Configure alerts for write operations to Check Point Endpoint Security configuration directories by non-administrative users
Monitor for new DLL loading events from Check Point processes that reference unusual file paths
Establish baseline behavior for Check Point services and alert on deviations
Review Windows Event logs (Event IDs 4663, 4656) for file access attempts on sensitive configuration locations

How to Mitigate CVE-2023-28133

Immediate Actions Required

Update Check Point Endpoint Security Client to the latest patched version as specified in the vendor advisory
Restrict file system permissions on OpenSSL configuration file locations to prevent unauthorized modifications
Implement application whitelisting to prevent unauthorized code execution from Check Point process contexts
Review and audit file permissions across all Check Point installation directories

Patch Information

Check Point has released a security advisory addressing this vulnerability. Administrators should consult the Check Point Security Advisory (sk181276) for specific patch information and remediation steps. It is recommended to update to the latest version of the Endpoint Security Client that addresses this vulnerability.

Workarounds

Apply strict ACLs (Access Control Lists) to directories where OpenSSL configuration files are read from, ensuring only SYSTEM and Administrators have write access
Use Windows Software Restriction Policies or AppLocker to prevent execution of unsigned code from Check Point installation directories
Implement least-privilege principles for user accounts that interact with systems running vulnerable Check Point software
Deploy host-based intrusion detection to monitor for exploitation attempts until patching can be completed

bash

# Example: Restrict permissions on Check Point configuration directories (PowerShell)
# Adjust the path based on your installation location
$path = "C:\Program Files\CheckPoint\Endpoint Security\Endpoint Connect"
$acl = Get-Acl $path
$acl.SetAccessRuleProtection($true, $false)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
Set-Acl $path $acl

CVE-2023-28133 Overview

Critical Impact
A local attacker with low privileges can exploit this vulnerability to gain elevated system privileges by manipulating the OpenSSL configuration file, potentially leading to complete system compromise.

Affected Products

Check Point Endpoint Security Client version E87.30 for Windows
checkpoint endpoint_security (cpe:2.3:a:checkpoint:endpoint_security:e87.30:*:*:*:*:windows:*:*)

Discovery Timeline

2023-07-23 - CVE-2023-28133 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2023-28133

Vulnerability Analysis

Root Cause

Attack Vector

The attack vector for CVE-2023-28133 is local, requiring the attacker to have access to the target system. The exploitation process involves:

The attacker identifies the location where the Check Point Endpoint Security Client reads its OpenSSL configuration
Due to improper permission assignments, the attacker can create or modify the OpenSSL configuration file
The attacker crafts a malicious OpenSSL configuration file that includes directives to load arbitrary code
When a privileged Check Point process loads the OpenSSL library, it reads the malicious configuration
The malicious configuration causes code to execute with the elevated privileges of the Check Point process

The vulnerability exploits the fact that OpenSSL configuration files can specify dynamic engine modules to be loaded, and when processed by a privileged service, can result in privilege escalation.

Detection Methods for CVE-2023-28133

Indicators of Compromise

Unexpected modifications to OpenSSL configuration files in Check Point installation directories
Creation of new .cnf or OpenSSL configuration files in writable locations searched by the client
Suspicious DLL or shared library files appearing alongside OpenSSL configurations
Unusual process spawning from Check Point Endpoint Security services with elevated privileges

Detection Strategies

Monitor file system activity for changes to OpenSSL configuration file paths used by Check Point software
Implement file integrity monitoring on Check Point Endpoint Security installation directories
Use endpoint detection and response (EDR) solutions to detect privilege escalation patterns from endpoint security processes
Enable Windows Security Event logging for file permission changes and process creation events

Monitoring Recommendations

Configure alerts for write operations to Check Point Endpoint Security configuration directories by non-administrative users
Monitor for new DLL loading events from Check Point processes that reference unusual file paths
Establish baseline behavior for Check Point services and alert on deviations
Review Windows Event logs (Event IDs 4663, 4656) for file access attempts on sensitive configuration locations

How to Mitigate CVE-2023-28133

Immediate Actions Required

Update Check Point Endpoint Security Client to the latest patched version as specified in the vendor advisory
Restrict file system permissions on OpenSSL configuration file locations to prevent unauthorized modifications
Implement application whitelisting to prevent unauthorized code execution from Check Point process contexts
Review and audit file permissions across all Check Point installation directories

Patch Information

Workarounds

Apply strict ACLs (Access Control Lists) to directories where OpenSSL configuration files are read from, ensuring only SYSTEM and Administrators have write access
Use Windows Software Restriction Policies or AppLocker to prevent execution of unsigned code from Check Point installation directories
Implement least-privilege principles for user accounts that interact with systems running vulnerable Check Point software
Deploy host-based intrusion detection to monitor for exploitation attempts until patching can be completed

bash

# Example: Restrict permissions on Check Point configuration directories (PowerShell)
# Adjust the path based on your installation location
$path = "C:\Program Files\CheckPoint\Endpoint Security\Endpoint Connect"
$acl = Get-Acl $path
$acl.SetAccessRuleProtection($true, $false)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
Set-Acl $path $acl

CVE-2023-28133: Checkpoint Endpoint Security Privilege Escalation

CVE-2023-28133 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2023-28133

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2023-28133

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2023-28133

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2023-28133: Checkpoint Endpoint Security Privilege Escalation

CVE-2023-28133 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2023-28133

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2023-28133

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2023-28133

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform