In Check Point SSL VPN, when environment variables are used in configuration before build 800007042, ‘Mobile Access Portal Agent’ arbitrary applications from a specially crafted location instead of the predefined Native Application. ‘Mobile Access Portal Agent’ runs predefined Native Applications. If an administrator configured such an application with environment variables in the path, Portal Agent may run an arbitrary application that was placed in a specially created location.
This issue was discovered by CodeGreen Systems Security Analyst and Principal Consulting Engineer Raeez Abdulla during a SSL VPN penetration testing engagement with one of our BFSI customers. It is being disclosed in accordance with industry best practices vulnerability disclosure policy and in cooperation with the Checkpoint Security Incident Response Team.
Exploitation of CVE-2021-30358 (FIXED)
Full PoC document can be downloaded from here
Check Point's KB article can be found here in this link
Check Point acknowledgement to CodeGreen can be found here in this link
Users should install a hotfix to upgrade Portal Agent to a non-vulnerable version. If automatic updates are enabled (see sk94508), the update will be installed automatically on all relevant Check Point machines.
- Hotfix Name:
Check_Point_ESOD_CSHELL_AUTOUPDATE_Bundle_T17_AutoUpdate.tar (here is the ink)
Wed, 05 May 2021:
Issue discovered by Raeez Abdulla, Security Analyst and Principal Consulting Engineer, CodeGreen Systems
Wed , 05 May 2021:
Initial disclosure to Check Point Security Incident Response Team via email.
Wed , 12 May 2021:
Check Point confirms the vulnerabilty and assigns PD
Tue, 05 Oct 2021:
Client and Server side fix are released by Check Point
Sun, 17 Oct 2021:
Details on CVE-2021-30358 published.