Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormRick Verdoes, Danny de Weille, pentests.nlPACKETSTORM:173918
HistoryAug 02, 2023 - 12:00 a.m.

Checkpoint Gaia Portal R81.10 Remote Command Execution

2023-08-0200:00:00
Rick Verdoes, Danny de Weille, pentests.nl
packetstormsecurity.com
173
check point gaia portal
remote code execution
command injection
web-based interface
vulnerability
authenticated user
dns settings
operating system
proof of concept
security advisory

0.001 Low

EPSS

Percentile

40.3%

JSON
` =========================  
Exploit Title: Hostname injection leads to Remote Code Execution RCE (Authenticated)  
Product: Gaia Portal  
Vendor: Checkpoint  
Vulnerable Versions: R81.20 < Take 14, R81.10 < Take 95, R81 < Take 82 and R80.40 < Take 198  
Tested Version: R81.10 (take 335)  
Advisory Publication: July 27, 2023  
Latest Update: July 72, 2023  
Vulnerability Type: Improper Control of Generation of Code (Code Injection) [CWE-94]  
CVE Reference: CVE-2023-28130  
CVSS Severity: High  
CVSS Score: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H  
Impact score: 8.4  
Credit: Rick Verdoes & Danny de Weille (Hackify | pentests.nl)  
=========================  
  
I. BACKGROUND  
-------------------------  
Check Point Gaia Portal is an advanced web-based interface designed for the configuration of the Gaia platform, a security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. The Gaia Portal allows for nearly all system configuration tasks to be performed through this interface.  
  
II. VULNERABILITY  
-------------------------  
Check Point Gaia Portal has a vulnerability which allows an authenticated user with write permissions on the DNS settings to inject commands in a cgi script, leading to remote code execution on the operating system. The vulnerability lies in the parameter hostname in the web request /cgi-bin/hosts_dns.tcl, which is susceptible to command injection. This can be exploited by any user with a valid session, as long as the user has write permissions on the DNS settings. The injected commands are executed by the user 'Admin'.  
  
III. Proof of Concept  
-------------------------  
hostname=name|`COMMAND`&domainname=test.local&save=1  
  
IV. Impact  
-------------------------  
Successful exploitation allows a remote authenticated attacker to execute commands on the operating system.  
  
V. References  
-------------------------  
Security advisories:  
https://pentests.nl/pentest-blog/cve-2023-28130-command-injection-in-check-point-gaia-portal/  
https://support.checkpoint.com/results/sk/sk181311  
  
  
`

Related

cve 1
cvelist 1
prion 1
nvd 1
zdt 1
cve
cve
CVE-2023-28130
2023-07-26 11:15:09
cvelist
cvelist
CVE-2023-28130
2023-07-26 10:57:02
prion
prion
Privilege escalation
2023-07-26 11:15:00
nvd
nvd
CVE-2023-28130
2023-07-26 11:15:09
zdt
zdt
Checkpoint Gaia Portal R81.10 Remote Command Execution Vulnerability
2023-08-02 00:00:00

0.001 Low

EPSS

Percentile

40.3%

JSON
Related for PACKETSTORM:173918
cve1cvelist1prion1nvd1zdt1