ID
VAR-201206-0104
CVE
CVE-2012-2753
TITLE
Check Point Vulnerabilities that can be authorized in multiple products
Trust: 0.8
DESCRIPTION
Untrusted search path vulnerability in TrGUI.exe in the Endpoint Connect (aka EPC) GUI in Check Point Endpoint Security R73.x and E80.x on the VPN blade platform, Endpoint Security VPN R75, Endpoint Connect R73.x, and Remote Access Clients E75.x allows local users to gain privileges via a Trojan horse DLL in the current working directory. DLL It may be possible to get permission through the file. Check Point Endpoint Connect is prone to a vulnerability that lets attackers execute arbitrary code. An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file. Check Point Endpoint Security is a set of endpoint security solutions from Check Point Company in the United States. This solution combines firewall, network access control, anti-virus, anti-spyware, data security and other functions to ensure that terminal PCs are free from Web-based threats. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Check Point Endpoint Connect Insecure Library Loading Vulnerability SECUNIA ADVISORY ID: SA49432 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49432/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49432 RELEASE DATE: 2012-06-11 DISCUSS ADVISORY: http://secunia.com/advisories/49432/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49432/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49432 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Check Point EndPoint Connect, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to the application loading certain libraries in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into opening unspecified file types located on a remote WebDAV or SMB share. Successful exploitation allows execution of arbitrary code. SOLUTION: Apply available hotfixes. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits Moshe Zioni, Comsec Consulting. ORIGINAL ADVISORY: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk76480&src=securityAlerts OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . A user with local disk access can carefuly construct a DLL that suits a pattern that is being traversed by the client and implement it somewhere along the search path and the client will load it seamlessly. Impact ========== After the DLL has been implemented, an unsuspected user that will run the program will cause it to load, resulting in arbitrary code execution with user's privilege level. Solution ========== Apply the appropriate Hotfix released by Checkpoint (one line URL): https://supportcenter.checkpoint.com/supportcenter/portal? eventSubmit_doGoviewsolutiondetails=&solutionid=sk76480 Credits ========== The issue was responsibly reported by Moshe Zioni from Comsec Global Consulting. Timeline =========== 11 June 2012 Checkpoint officialy announce a Hotfix for the issue 6 June 2012 Checkpoint reported on finishing a fix to the reported issue 16 May 2012 Further correspondance (Comsec-Checkpoint) took place, discussing a remidiation 15 May 2012 First response from Checkpoint Security Team 15 May 2012 Bug reported by Moshe Zioni from Comsec Global Consulting References =========== Checkpoint http://www.checkpoint.com/ Comsec Global Consulting http://www.comsecglobal.com/
Trust: 2.16
AFFECTED PRODUCTS
| vendor: | checkpoint | model: | endpoint security vpn | scope: | eq | version: | r75 | Trust: 1.6 |
| vendor: | checkpoint | model: | endpoint security | scope: | eq | version: | e80 | Trust: 1.6 |
| vendor: | checkpoint | model: | endpoint security | scope: | eq | version: | e80.10 | Trust: 1.6 |
| vendor: | checkpoint | model: | remote access clients | scope: | eq | version: | e75.20 | Trust: 1.6 |
| vendor: | checkpoint | model: | endpoint connect | scope: | eq | version: | r73 | Trust: 1.6 |
| vendor: | checkpoint | model: | endpoint security | scope: | eq | version: | e80.30 | Trust: 1.6 |
| vendor: | checkpoint | model: | remote access clients | scope: | eq | version: | e75.10 | Trust: 1.6 |
| vendor: | checkpoint | model: | endpoint security | scope: | eq | version: | e80.20 | Trust: 1.6 |
| vendor: | checkpoint | model: | endpoint security | scope: | eq | version: | r73 | Trust: 1.6 |
| vendor: | checkpoint | model: | remote access clients | scope: | eq | version: | e75 | Trust: 1.6 |
| vendor: | check point | model: | endpoint connect | scope: | eq | version: | r73.x | Trust: 0.8 |
| vendor: | check point | model: | endpoint security | scope: | eq | version: | r73.x and e80.x (vpn blade) | Trust: 0.8 |
| vendor: | check point | model: | endpoint security vpn | scope: | eq | version: | r75 | Trust: 0.8 |
| vendor: | check point | model: | remote access clients | scope: | eq | version: | e75.x | Trust: 0.8 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
PROBLEMTYPE DATA
| problemtype: | NVD-CWE-Other | Trust: 1.0 |
| problemtype: | CWE-Other | Trust: 0.8 |
THREAT TYPE
local
Trust: 0.7
TYPE
Design Error
Trust: 0.3
CONFIGURATIONS
EXPLOIT AVAILABILITY
PATCH
| title: | Endpoint Connect (EPC) DLL hijacking vulnerability | url: | https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk76480 | Trust: 0.8 |
EXTERNAL IDS
| db: | NVD | id: | CVE-2012-2753 | Trust: 2.9 |
| db: | JVNDB | id: | JVNDB-2012-002785 | Trust: 0.8 |
| db: | CNNVD | id: | CNNVD-201206-146 | Trust: 0.7 |
| db: | SECUNIA | id: | 49432 | Trust: 0.7 |
| db: | BUGTRAQ | id: | 20120613 SECURITY ADVISORY - CHECKPOINT ENDPOINT CONNECT VPN - DLL HIJACK | Trust: 0.6 |
| db: | BID | id: | 53925 | Trust: 0.4 |
| db: | PACKETSTORM | id: | 113630 | Trust: 0.2 |
| db: | VULHUB | id: | VHN-56034 | Trust: 0.1 |
| db: | PACKETSTORM | id: | 113537 | Trust: 0.1 |
REFERENCES
| url: | http://archives.neohapsis.com/archives/bugtraq/2012-06/0069.html | Trust: 1.7 |
| url: | https://supportcenter.checkpoint.com/supportcenter/portal?eventsubmit_dogoviewsolutiondetails=&solutionid=sk76480 | Trust: 1.6 |
| url: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-2753 | Trust: 0.8 |
| url: | http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2012-2753 | Trust: 0.8 |
| url: | http://secunia.com/advisories/49432 | Trust: 0.6 |
| url: | http://blog.rapid7.com/?p=5325 | Trust: 0.3 |
| url: | http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html | Trust: 0.3 |
| url: | http://blogs.technet.com/b/msrc/archive/2010/08/21/microsoft-security-advisory-2269637-released.aspx | Trust: 0.3 |
| url: | http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx | Trust: 0.3 |
| url: | http://www.microsoft.com/technet/security/advisory/2269637.mspx | Trust: 0.3 |
| url: | https://supportcenter.checkpoint.com/supportcenter/portal?eventsubmit_dogoviewsolutiondetails=&solutionid=sk76480 | Trust: 0.1 |
| url: | http://secunia.com/psi_30_beta_launch | Trust: 0.1 |
| url: | http://secunia.com/vulnerability_intelligence/ | Trust: 0.1 |
| url: | http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ | Trust: 0.1 |
| url: | https://supportcenter.checkpoint.com/supportcenter/portal?eventsubmit_dogoviewsolutiondetails=&solutionid=sk76480&src=securityalerts | Trust: 0.1 |
| url: | http://secunia.com/advisories/secunia_security_advisories/ | Trust: 0.1 |
| url: | https://ca.secunia.com/?page=viewadvisory&vuln_id=49432 | Trust: 0.1 |
| url: | http://secunia.com/vulnerability_scanning/personal/ | Trust: 0.1 |
| url: | http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org | Trust: 0.1 |
| url: | http://secunia.com/advisories/49432/ | Trust: 0.1 |
| url: | http://secunia.com/advisories/49432/#comments | Trust: 0.1 |
| url: | http://secunia.com/advisories/about_secunia_advisories/ | Trust: 0.1 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2012-2753 | Trust: 0.1 |
| url: | http://www.checkpoint.com/ | Trust: 0.1 |
| url: | https://supportcenter.checkpoint.com/supportcenter/portal? | Trust: 0.1 |
| url: | http://www.comsecglobal.com/ | Trust: 0.1 |
CREDITS
Moshe Zioni, Comsec Consulting
Trust: 0.3
SOURCES
| db: | VULHUB | id: | VHN-56034 |
| db: | BID | id: | 53925 |
| db: | JVNDB | id: | JVNDB-2012-002785 |
| db: | PACKETSTORM | id: | 113537 |
| db: | PACKETSTORM | id: | 113630 |
| db: | CNNVD | id: | CNNVD-201206-146 |
| db: | NVD | id: | CVE-2012-2753 |
LAST UPDATE DATE
2025-04-11T23:07:25.238000+00:00
SOURCES UPDATE DATE
| db: | VULHUB | id: | VHN-56034 | date: | 2012-06-26T00:00:00 |
| db: | BID | id: | 53925 | date: | 2012-06-17T00:02:00 |
| db: | JVNDB | id: | JVNDB-2012-002785 | date: | 2012-06-21T00:00:00 |
| db: | CNNVD | id: | CNNVD-201206-146 | date: | 2012-06-14T00:00:00 |
| db: | NVD | id: | CVE-2012-2753 | date: | 2025-04-11T00:51:21.963 |
SOURCES RELEASE DATE
| db: | VULHUB | id: | VHN-56034 | date: | 2012-06-19T00:00:00 |
| db: | BID | id: | 53925 | date: | 2012-06-11T00:00:00 |
| db: | JVNDB | id: | JVNDB-2012-002785 | date: | 2012-06-21T00:00:00 |
| db: | PACKETSTORM | id: | 113537 | date: | 2012-06-12T12:49:41 |
| db: | PACKETSTORM | id: | 113630 | date: | 2012-06-14T00:48:53 |
| db: | CNNVD | id: | CNNVD-201206-146 | date: | 2012-06-13T00:00:00 |
| db: | NVD | id: | CVE-2012-2753 | date: | 2012-06-19T20:55:07.037 |