Vulners
Lucene search
Checkpoint Gaia Portal R81.10 Remote Command Execution
🗓️ 02 Aug 2023 00:00:00Reported by Rick Verdoes, Danny de Weille, pentests.nlType 
packetstorm🔗 packetstormsecurity.com👁 531 Views
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | Checkpoint Gaia Portal R81.10 Remote Command Execution Vulnerability | 2 Aug 202300:00 | – | zdt |
 | CVE-2023-28130 | 26 Jul 202314:27 | – | circl |
 | Quantum Appliances 命令注入漏洞 | 26 Jul 202300:00 | – | cnnvd |
 | Check Point Response to CVE-2023-28130 - Hostname command injection in Gaia Portal | 25 Jul 202300:00 | – | checkpoint_security |
 | CVE-2023-28130 | 26 Jul 202310:57 | – | cve |
 | CVE-2023-28130 | 26 Jul 202310:57 | – | cvelist |
 | EUVD-2023-31841 | 3 Oct 202520:07 | – | euvd |
 | CVE-2023-28130 | 26 Jul 202311:15 | – | nvd |
 | CVE-2023-28130 | 26 Jul 202311:15 | – | osv |
 | Privilege escalation | 26 Jul 202311:15 | – | prion |
10
` =========================
Exploit Title: Hostname injection leads to Remote Code Execution RCE (Authenticated)
Product: Gaia Portal
Vendor: Checkpoint
Vulnerable Versions: R81.20 < Take 14, R81.10 < Take 95, R81 < Take 82 and R80.40 < Take 198
Tested Version: R81.10 (take 335)
Advisory Publication: July 27, 2023
Latest Update: July 72, 2023
Vulnerability Type: Improper Control of Generation of Code (Code Injection) [CWE-94]
CVE Reference: CVE-2023-28130
CVSS Severity: High
CVSS Score: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Impact score: 8.4
Credit: Rick Verdoes & Danny de Weille (Hackify | pentests.nl)
=========================
I. BACKGROUND
-------------------------
Check Point Gaia Portal is an advanced web-based interface designed for the configuration of the Gaia platform, a security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. The Gaia Portal allows for nearly all system configuration tasks to be performed through this interface.
II. VULNERABILITY
-------------------------
Check Point Gaia Portal has a vulnerability which allows an authenticated user with write permissions on the DNS settings to inject commands in a cgi script, leading to remote code execution on the operating system. The vulnerability lies in the parameter hostname in the web request /cgi-bin/hosts_dns.tcl, which is susceptible to command injection. This can be exploited by any user with a valid session, as long as the user has write permissions on the DNS settings. The injected commands are executed by the user 'Admin'.
III. Proof of Concept
-------------------------
hostname=name|`COMMAND`&domainname=test.local&save=1
IV. Impact
-------------------------
Successful exploitation allows a remote authenticated attacker to execute commands on the operating system.
V. References
-------------------------
Security advisories:
https://pentests.nl/pentest-blog/cve-2023-28130-command-injection-in-check-point-gaia-portal/
https://support.checkpoint.com/results/sk/sk181311
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Aug 2023 00:00Current
7.1High risk
Vulners AI Score7.1
EPSS0.04173