Details of VAR-201311-0308

ID

VAR-201311-0308

CVE

CVE-2013-5636

TITLE

Check Point Endpoint Security of Media Encryption EPM Explorer of Unlock.exe Vulnerabilities that bypass device locking protection mechanisms

Trust: 0.8

sources: JVNDB: JVNDB-2013-005339

DESCRIPTION

Unlock.exe in Media Encryption EPM Explorer in Check Point Endpoint Security through E80.50 does not associate password failures with a device ID, which makes it easier for physically proximate attackers to bypass the device-locking protection mechanism by overwriting DVREM.EPM with a copy of itself after each few password guesses. Check Point Media Encryption EPM Explorer is prone to a security-bypass vulnerability. An attacker with physical access may be able to exploit this issue to bypass device locking protection and aid in brute-force attacks; other attacks may also be possible. Check Point Endpoint Security Media Encryption E80.41 and E80.50 are vulnerable. This solution combines firewall, network access control, anti-virus, anti-spyware, data security and other functions to ensure that terminal PCs are free from Web-based threats. Failed password limit bypass. Risk: Low to Medium Date: 13.Nov.2013 Author: Pedro Andujar .: [ INTRO ] :. .: [ TECHNICAL DESCRIPTION ] :. When accessing an encrypted removable device from a computer without Endpoint Security installed on it, it should contains the files described below: DVREM.EPM - Encrypted Portable Media (aka the encrypted volume which contains data) Unlock.exe - EPM Explorer (software which allows you to decrypt and access the content) Despite other scenarios offers better performance (like attacking the EPM directly), less skilled attackers can take advantage of Unlock.exe to attempt to bruteforce the password. .: [ ISSUE #1 }:. Name: Multiple Unlock.exe instances Severity: Low CVE: CVE-2013-5635 CWE-372: Incomplete Internal State Distinction If password policy sets a limit of 5 failed password attempts before device is locked, executing n instances of Unlock.exe at the same time will allow you to get nx5 password attempts (5 for each instance). Some controls should be applied to prevent multiple EPM explorers being concurrently executed, or at least synchronization regarding the state of failed password attempts. .: [ ISSUE #2 }:. Name: Device link not enforced Severity: Low CVE: CVE-2013-5636 CWE-285: Improper Authorization Unlock.exe contains some restrictions that forces you to store the EPM file in the top of the directory tree, just after a unit letter and coloms (Ex: X:\DVREM.EPM), so it cannot be inside a folder. But this is not enough and still can be extracted from the removable media and be stored in a different drive. Allowing Unlock.exe to be executed and access EPM stored on a different device/drive, increase the window of time for attackers which can try to access the information without having the originally encrypted device on their hands. Additionally everytime the EPM is overwrited by a freshcopy of itself, the failed password attempts is reseted, allowing you to try another 5 times, so you can perform infinite attempts. This charasteristic open some social engineering attack scenarios, like copying the EPM and Unlock.exe before returning a lent device to it's originall owner or just taking it for few seconds when owner is not paying atention. Ideally EPM file should be associated to the device ID at its creation time, and EPM explorer should check the device ID (or other unique device identifier) to prevent it opening the EPM in a different location. .: [ CHANGELOG ] :. * 16/Dec/2012: - Issue found * 25/Aug/2013: - Vendor contacted * 26/Aug/2013: - Vendor Ack * 11/Nov/2013: - Vendor finished the Fix for Issue #1 - Issue #2 considered not fixeable * 14/Nov/2013: - Public Disclosure .: [ SOLUTIONS ] :. Check Point offers an improved client for this issue. Solution ID: sk96589 https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk96589 .: [ REFERENCES ] :

Trust: 2.16

sources: NVD: CVE-2013-5636 // JVNDB: JVNDB-2013-005339 // BID: 64024 // VULHUB: VHN-65638 // VULMON: CVE-2013-5636 // PACKETSTORM: 124019

AFFECTED PRODUCTS

vendor:	checkpoint	model:	endpoint security	scope:	eq	version:	e80.40	Trust: 1.6
vendor:	checkpoint	model:	endpoint security	scope:	eq	version:	e80	Trust: 1.6
vendor:	checkpoint	model:	endpoint security	scope:	eq	version:	e80.41	Trust: 1.6
vendor:	checkpoint	model:	endpoint security	scope:	eq	version:	e80.30	Trust: 1.6
vendor:	checkpoint	model:	endpoint security	scope:	eq	version:	e80.20	Trust: 1.6
vendor:	checkpoint	model:	endpoint security	scope:	eq	version:	e80.10	Trust: 1.6
vendor:	checkpoint	model:	endpoint security	scope:	eq	version:	e80.50	Trust: 1.6
vendor:	check point	model:	endpoint security	scope:	lte	version:	e80.50	Trust: 0.8
vendor:	check	model:	point software endpoint security media encryption e80.50	scope:	-	version:	-	Trust: 0.3
vendor:	check	model:	point software endpoint security media encryption e80.41	scope:	-	version:	-	Trust: 0.3

sources: BID: 64024 // JVNDB: JVNDB-2013-005339 // CNNVD: CNNVD-201311-479 // NVD: CVE-2013-5636

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-5636
value:	LOW
Trust: 1.0
NVD:	CVE-2013-5636
value:	LOW
Trust: 0.8
CNNVD:	CNNVD-201311-479
value:	LOW
Trust: 0.6
VULHUB:	VHN-65638
value:	LOW
Trust: 0.1
VULMON:	CVE-2013-5636
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2013-5636
severity:	LOW
baseScore:	3.3
vectorString:	AV:L/AC:M/AU:N/C:P/I:P/A:N
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	3.4
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-65638
severity:	LOW
baseScore:	3.3
vectorString:	AV:L/AC:M/AU:N/C:P/I:P/A:N
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	3.4
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-65638 // VULMON: CVE-2013-5636 // JVNDB: JVNDB-2013-005339 // CNNVD: CNNVD-201311-479 // NVD: CVE-2013-5636

PROBLEMTYPE DATA

problemtype:

CWE-255

Trust: 1.9

sources: VULHUB: VHN-65638 // JVNDB: JVNDB-2013-005339 // NVD: CVE-2013-5636

THREAT TYPE

local

Trust: 0.9

sources: BID: 64024 // CNNVD: CNNVD-201311-479

TYPE

trust management

Trust: 0.6

sources: CNNVD: CNNVD-201311-479

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-005339

PATCH

title:	Check Point response to Media Encryption EPM Explorer lockout bypass (sk96589)	url:	https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk96589	Trust: 0.8
title:	Check_Point_E80.50_Media_Encryption_Port_Protection_Hotfix_sk96589	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=46853	Trust: 0.6

sources: JVNDB: JVNDB-2013-005339 // CNNVD: CNNVD-201311-479

EXTERNAL IDS

db:	NVD	id:	CVE-2013-5636	Trust: 3.0
db:	JVNDB	id:	JVNDB-2013-005339	Trust: 0.8
db:	CNNVD	id:	CNNVD-201311-479	Trust: 0.7
db:	BID	id:	64024	Trust: 0.5
db:	VULHUB	id:	VHN-65638	Trust: 0.1
db:	VULMON	id:	CVE-2013-5636	Trust: 0.1
db:	PACKETSTORM	id:	124019	Trust: 0.1

sources: VULHUB: VHN-65638 // VULMON: CVE-2013-5636 // BID: 64024 // JVNDB: JVNDB-2013-005339 // PACKETSTORM: 124019 // CNNVD: CNNVD-201311-479 // NVD: CVE-2013-5636

REFERENCES

url:	http://www.digitalsec.net/stuff/explt+advs/checkpoint_endpoint_epm_explorer.txt	Trust: 2.9
url:	https://supportcenter.checkpoint.com/supportcenter/portal?eventsubmit_dogoviewsolutiondetails=&solutionid=sk96589	Trust: 2.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-5636	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-5636	Trust: 0.8
url:	http://www.checkpoint.com/index.html	Trust: 0.3
url:	https://supportcenter.checkpoint.com/supportcenter/portal?eventsubmit_dogoviewsolutiondetails=&solutionid=sk96589	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/255.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://www.securityfocus.com/bid/64024	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-5635	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-5636	Trust: 0.1
url:	https://supportcenter.checkpoint.com/supportcenter/portal?eventsubmit_dogoviewsecurityalerts	Trust: 0.1
url:	http://downloads.checkpoint.com/dc/download.htm?id=10580	Trust: 0.1
url:	http://www.digitalsec.net/	Trust: 0.1

sources: VULHUB: VHN-65638 // VULMON: CVE-2013-5636 // BID: 64024 // JVNDB: JVNDB-2013-005339 // PACKETSTORM: 124019 // CNNVD: CNNVD-201311-479 // NVD: CVE-2013-5636

CREDITS

Pedro Andujar

Trust: 0.4

sources: BID: 64024 // PACKETSTORM: 124019

SOURCES

db:	VULHUB	id:	VHN-65638
db:	VULMON	id:	CVE-2013-5636
db:	BID	id:	64024
db:	JVNDB	id:	JVNDB-2013-005339
db:	PACKETSTORM	id:	124019
db:	CNNVD	id:	CNNVD-201311-479
db:	NVD	id:	CVE-2013-5636

LAST UPDATE DATE

2025-04-11T22:53:10.390000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-65638	date:	2013-12-02T00:00:00
db:	VULMON	id:	CVE-2013-5636	date:	2013-12-02T00:00:00
db:	BID	id:	64024	date:	2013-11-14T00:00:00
db:	JVNDB	id:	JVNDB-2013-005339	date:	2013-12-03T00:00:00
db:	CNNVD	id:	CNNVD-201311-479	date:	2013-12-06T00:00:00
db:	NVD	id:	CVE-2013-5636	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-65638	date:	2013-11-30T00:00:00
db:	VULMON	id:	CVE-2013-5636	date:	2013-11-30T00:00:00
db:	BID	id:	64024	date:	2013-11-14T00:00:00
db:	JVNDB	id:	JVNDB-2013-005339	date:	2013-12-03T00:00:00
db:	PACKETSTORM	id:	124019	date:	2013-11-14T15:55:55
db:	CNNVD	id:	CNNVD-201311-479	date:	2013-11-30T00:00:00
db:	NVD	id:	CVE-2013-5636	date:	2013-11-30T11:43:54.647