Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtRick Verdoes1337DAY-ID-38928
HistoryAug 02, 2023 - 12:00 a.m.

Checkpoint Gaia Portal R81.10 Remote Command Execution Vulnerability

2023-08-0200:00:00
Rick Verdoes
0day.today
187
check point
gaia portal
vulnerability
remote code execution
authenticated user
dns settings
command injection
operating system
remote attack
advisory
cve-2023-28130

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

40.3%

JSON
=========================
Exploit Title: Hostname injection leads to Remote Code Execution RCE (Authenticated)
Product: Gaia Portal
Vendor: Checkpoint
Vulnerable Versions: R81.20 < Take 14, R81.10 < Take 95, R81 < Take 82 and R80.40 < Take 198
Tested Version: R81.10 (take 335)
Advisory Publication: July 27, 2023
Latest Update: July 72, 2023
Vulnerability Type: Improper Control of Generation of Code (Code Injection) [CWE-94]
CVE Reference: CVE-2023-28130
CVSS Severity: High
CVSS Score: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Impact score: 8.4
Credit: Rick Verdoes & Danny de Weille (Hackify | pentests.nl)
=========================

 I. BACKGROUND
-------------------------
Check Point Gaia Portal is an advanced web-based interface designed for the configuration of the Gaia platform, a security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. The Gaia Portal allows for nearly all system configuration tasks to be performed through this interface.

 II. VULNERABILITY
-------------------------
Check Point Gaia Portal has a vulnerability which allows an authenticated user with write permissions on the DNS settings to inject commands in a cgi script, leading to remote code execution on the operating system. The vulnerability lies in the parameter hostname in the web request /cgi-bin/hosts_dns.tcl, which is susceptible to command injection. This can be exploited by any user with a valid session, as long as the user has write permissions on the DNS settings. The injected commands are executed by the user 'Admin'.

 III. Proof of Concept
-------------------------
hostname=name|`COMMAND`&domainname=test.local&save=1

 IV. Impact
-------------------------
Successful exploitation allows a remote authenticated attacker to execute commands on the operating system.

 V. References
-------------------------
Security advisories:
https://pentests.nl/pentest-blog/cve-2023-28130-command-injection-in-check-point-gaia-portal/
https://support.checkpoint.com/results/sk/sk181311

Related

cve 1
cvelist 1
packetstorm 1
prion 1
nvd 1
cve
cve
CVE-2023-28130
2023-07-26 11:15:09
cvelist
cvelist
CVE-2023-28130
2023-07-26 10:57:02
packetstorm
packetstorm
Checkpoint Gaia Portal R81.10 Remote Command Execution
2023-08-02 00:00:00
prion
prion
Privilege escalation
2023-07-26 11:15:00
nvd
nvd
CVE-2023-28130
2023-07-26 11:15:09

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

40.3%

JSON
Related for 1337DAY-ID-38928
cve1cvelist1packetstorm1prion1nvd1