CVE-2019-8461 - OpenCVE

Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH location on a clean image without Endpoint Client installed. An attacker can leverage this to gain LPE using a specially crafted DLL placed in any PATH location accessible with write permissions to the user.

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Checkpoint	Remote Access Clients Capsule Docs Standalone Client Endpoint Security

Configuration 1 [-]

OR	cpe:2.3:a:checkpoint:capsule_docs_standalone_client::::::::
	cpe:2.3:a:checkpoint:endpoint_security::::::windows::*
	cpe:2.3:a:checkpoint:remote_access_clients::::::windows::*

References

Link	Resource
https://safebreach.com/Post/Check-Point-Endpoint-Security-Initial-Client-for-Windows-Privilege-Escalation-to-SYSTEM	Exploit Third Party Advisory
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk160812	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: checkpoint

Published: 2019-08-29T20:41:54

Updated: 2019-09-03T19:36:06

Reserved: 2019-02-18T00:00:00

Link: CVE-2019-8461

JSON object: View

NVD Information

Status : Modified

Published: 2019-08-29T21:15:11.400

Modified: 2019-10-09T23:52:27.670

Link: CVE-2019-8461

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Check Point Endpoint Security Initial Client for Windows", "vendor": "n/a", "versions": [{"status": "affected", "version": "before version E81.30"}]}], "descriptions": [{"lang": "en", "value": "Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH location on a clean image without Endpoint Client installed. An attacker can leverage this to gain LPE using a specially crafted DLL placed in any PATH location accessible with write permissions to the user."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-114", "description": "CWE-114: Process Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-09-03T19:36:06", "orgId": "897c38be-0345-43cd-b6cf-fe179e0c4f45", "shortName": "checkpoint"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk160812"}, {"tags": ["x_refsource_MISC"], "url": "https://safebreach.com/Post/Check-Point-Endpoint-Security-Initial-Client-for-Windows-Privilege-Escalation-to-SYSTEM"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@checkpoint.com", "ID": "CVE-2019-8461", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Check Point Endpoint Security Initial Client for Windows", "version": {"version_data": [{"version_value": "before version E81.30"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH location on a clean image without Endpoint Client installed. An attacker can leverage this to gain LPE using a specially crafted DLL placed in any PATH location accessible with write permissions to the user."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-114: Process Control"}]}]}, "references": {"reference_data": [{"name": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk160812", "refsource": "MISC", "url": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk160812"}, {"name": "https://safebreach.com/Post/Check-Point-Endpoint-Security-Initial-Client-for-Windows-Privilege-Escalation-to-SYSTEM", "refsource": "MISC", "url": "https://safebreach.com/Post/Check-Point-Endpoint-Security-Initial-Client-for-Windows-Privilege-Escalation-to-SYSTEM"}]}}}}, "cveMetadata": {"assignerOrgId": "897c38be-0345-43cd-b6cf-fe179e0c4f45", "assignerShortName": "checkpoint", "cveId": "CVE-2019-8461", "datePublished": "2019-08-29T20:41:54", "dateReserved": "2019-02-18T00:00:00", "dateUpdated": "2019-09-03T19:36:06", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:checkpoint:capsule_docs_standalone_client:*:*:*:*:*:*:*:*", "matchCriteriaId": "F8D79F85-DC49-456B-BFB8-5E303F8A0E8D", "versionEndExcluding": "e80.20", "vulnerable": true}, {"criteria": "cpe:2.3:a:checkpoint:endpoint_security:*:*:*:*:*:windows:*:*", "matchCriteriaId": "27BB2058-E39A-4830-A351-B1D544C17E5C", "versionEndExcluding": "e81.30", "vulnerable": true}, {"criteria": "cpe:2.3:a:checkpoint:remote_access_clients:*:*:*:*:*:windows:*:*", "matchCriteriaId": "EF0F072B-5EF9-406B-9647-A300C7CD79F0", "versionEndExcluding": "e81.30", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH location on a clean image without Endpoint Client installed. An attacker can leverage this to gain LPE using a specially crafted DLL placed in any PATH location accessible with write permissions to the user."}, {"lang": "es", "value": "Check Point Endpoint Security Initial Client para Windows versi\u00f3n anterior a E81.30, intenta cargar una biblioteca DLL localizada en cualquier ubicaci\u00f3n de RUTA (PATH) en una imagen limpia sin el Endpoint Client instalado. Un atacante puede aprovechar esto para conseguir LPE usando una DLL especialmente dise\u00f1ada localizada en cualquier ubicaci\u00f3n de RUTA (PATH) accesible con permisos de escritura para el usuario."}], "id": "CVE-2019-8461", "lastModified": "2019-10-09T23:52:27.670", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-29T21:15:11.400", "references": [{"source": "cve@checkpoint.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://safebreach.com/Post/Check-Point-Endpoint-Security-Initial-Client-for-Windows-Privilege-Escalation-to-SYSTEM"}, {"source": "cve@checkpoint.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk160812"}], "sourceIdentifier": "cve@checkpoint.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-426"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-114"}], "source": "cve@checkpoint.com", "type": "Secondary"}]}