Blog Post:

CodeGreen Discovers Check Point SSL VPN Zero Day Vulnerability (CVE-2021-30358)

Zero Day
22
Oct 2021

CodeGreen Discovers Check Point SSL VPN Zero Day Vulnerability (CVE-2021-30358)

Friday, October 22, 2021

In Check Point SSL VPN, when environment variables are used in configuration before build 800007042, ‘Mobile Access Portal Agent’ arbitrary applications from a specially crafted location instead of the predefined Native Application. ‘Mobile Access Portal Agent’ runs predefined Native Applications. If an administrator configured such an application with environment variables in the path, Portal Agent may run an arbitrary application that was placed in a specially created location.

This issue was discovered by CodeGreen Systems Security Analyst and Principal Consulting Engineer Raeez Abdulla during a SSL VPN penetration testing engagement with one of our BFSI customers. It is being disclosed in accordance with industry best practices vulnerability disclosure policy and in cooperation with the Checkpoint Security Incident Response Team.


Exploitation of CVE-2021-30358 (FIXED)

Full PoC document can be downloaded from here
https://www.codegreen.ae/checkpoint-zeroday

Check Point's KB article can be found here in this link

Check Point acknowledgement to CodeGreen can be found here in this link

 

Remediating CVE-2021-30358

Users should install a hotfix to upgrade Portal Agent to a non-vulnerable version. If automatic updates are enabled (see sk94508), the update will be installed automatically on all relevant Check Point machines.

  • Hotfix Name: 
    Check_Point_ESOD_CSHELL_AUTOUPDATE_Bundle_T17_AutoUpdate.tar (here is the ink)

Disclosure Timeline:

Wed, 05 May 2021:

Issue discovered by Raeez Abdulla, Security Analyst and Principal Consulting Engineer, CodeGreen Systems

Wed , 05 May 2021:

Initial disclosure to Check Point Security Incident Response Team via email.

Wed , 12 May 2021:

Check Point confirms the vulnerabilty and assigns PD

Tue, 05 Oct 2021:

Client and Server side fix are released by Check Point

Sun, 17 Oct 2021:

Details on CVE-2021-30358 published.

Posted on:

Friday, October 22, 2021

in

Zero Day

category

Read other latest posts

The Blog