The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of CheckPoint Endpoint Security

computer vulnerability bulletin CVE-2013-7304

Check Point Endpoint Security MI: certificate not checked

Synthesis of the vulnerability

An attacker can access to the Check Point Endpoint Security MI service, without using a certificate.
Impacted products: CheckPoint Endpoint Security.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 20/12/2013.
Identifiers: BID-65135, CVE-2013-7304, sk97784, VIGILANCE-VUL-13968.

Description of the vulnerability

The Endpoint Security MI Server R73 product can be configured to validate certificates.

However, this configuration directive is ignored, so certificates are not checked.

An attacker can therefore access to the Check Point Endpoint Security MI service, without using a certificate.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2013-5635 CVE-2013-5636

Check Point Endpoint Security: brute force of Media Encryption EPM

Synthesis of the vulnerability

A local attacker can bypass the limit of number of authentication failures of Media Encryption EPM of Check Point Endpoint Security, in order to use a brute force attack, to access to the encrypted device.
Impacted products: CheckPoint Endpoint Security.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: user account.
Number of vulnerabilities in this bulletin: 2.
Creation date: 03/12/2013.
Identifiers: BID-64024, BID-64026, CVE-2013-5635, CVE-2013-5636, sk96589, VIGILANCE-VUL-13859.

Description of the vulnerability

The Media Encryption EPM Explorer product is used to access to encrypted devices. It is impacted by two vulnerabilities.

An attacker can use several simultaneous instances of Unlock.exe, in order to overcome the maximum limit of password trials. [severity:2/4; BID-64026, CVE-2013-5635]

An attacker can move the DVREM.EPM file, in order to overcome the maximum limit of password trials. [severity:2/4; BID-64024, CVE-2013-5636]

A local attacker can therefore bypass the limit of number of authentication failures of Media Encryption EPM of Check Point Endpoint Security, in order to use a brute force attack, to access to the encrypted device.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2012-2753

Check Point Endpoint Connect: command execution via DLL Preload

Synthesis of the vulnerability

An attacker can create a malicious DLL and invite the victim to open Check Point Endpoint Connect in the same directory, in order to execute code.
Impacted products: CheckPoint Endpoint Security, CheckPoint SecureClient, CheckPoint SecuRemote.
Severity: 2/4.
Consequences: user access/rights.
Provenance: intranet server.
Creation date: 11/06/2012.
Identifiers: BID-53925, CERTA-2012-AVI-318, CVE-2012-2753, sk76480, VIGILANCE-VUL-11688.

Description of the vulnerability

The Check Point Endpoint Connect (TrGUI.exe) product loads a library insecurely.

An attacker can thus use the VIGILANCE-VUL-9879 vulnerability to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2011-4885

PHP: denial of service via hash collision

Synthesis of the vulnerability

An attacker can send data generating storage collisions, in order to overload a service.
Impacted products: CheckPoint Endpoint Security, CheckPoint Security Gateway, Debian, BIG-IP Hardware, TMOS, Fedora, HP-UX, Mandriva Linux, openSUSE, PHP, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 3/4.
Consequences: denial of service on service, denial of service on client.
Provenance: internet client.
Creation date: 22/02/2012.
Identifiers: BID-51193, c03183543, CERTA-2011-AVI-728, CVE-2011-4885, DSA-2399-1, DSA-2399-2, FEDORA-2012-0420, FEDORA-2012-0504, HPSBUX02741, MDVSA-2011:197, MDVSA-2012:071, n.runs-SA-2011.004, oCERT-2011-003, openSUSE-SU-2012:0426-1, RHSA-2012:0019-01, RHSA-2012:0033-01, RHSA-2012:0071-01, sk66350, SOL13588, SSRT100728, SUSE-SU-2012:0411-1, SUSE-SU-2012:0496-1, VIGILANCE-VUL-11379.

Description of the vulnerability

The bulletin VIGILANCE-VUL-11254 describes a vulnerability which can be used to create a denial of service on several applications.

This vulnerability impacts PHP.

In order to simplify VIGILANCE-VUL-11254, which was too big, solutions for PHP were moved here.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2011-3414 CVE-2011-4461 CVE-2011-4462

Multiple: denial of service via hash collision

Synthesis of the vulnerability

An attacker can send data generating storage collisions, in order to overload a service.
Impacted products: CheckPoint Endpoint Security, CheckPoint Security Gateway, Debian, Fedora, WebSphere AS Traditional, IIS, .NET Framework, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP, Snap Creator Framework, openSUSE, Oracle AS, Oracle Communications, Oracle DB, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Internet Directory, Oracle iPlanet Web Server, Tuxedo, WebLogic, Oracle Web Tier, RHEL.
Severity: 3/4.
Consequences: denial of service on service, denial of service on client.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 11.
Creation date: 28/12/2011.
Revision date: 22/02/2012.
Identifiers: 1506603, 2638420, 2659883, BID-51186, BID-51194, BID-51195, BID-51196, BID-51197, BID-51199, BID-51235, BID-51441, CERTA-2011-AVI-727, CERTA-2011-AVI-728, cpujul2018, CVE-2011-3414, CVE-2011-4461, CVE-2011-4462, CVE-2011-4885, CVE-2011-5034, CVE-2011-5035, CVE-2011-5036, CVE-2011-5037, CVE-2012-0039, CVE-2012-0193, CVE-2012-0839, DSA-2783-1, DSA-2783-2, FEDORA-2012-0730, FEDORA-2012-0752, MS11-100, n.runs-SA-2011.004, NTAP-20190307-0004, oCERT-2011-003, openSUSE-SU-2012:0262-1, PM53930, RHSA-2012:1604-01, RHSA-2012:1605-01, RHSA-2012:1606-01, RHSA-2013:1455-01, RHSA-2013:1456-01, sk66350, VIGILANCE-VUL-11254, VU#903934.

Description of the vulnerability

A hash table stores information, as keys pointing to values. Each key is converted to an integer, which is the index of the area where to store data. For example:
 - keyA is converted to 34
 - keyB is converted to 13
Data are then stored at offsets 34 and 13.

In most cases, these keys generate integers which are uniformly located in the storage area (which runs for example between 0 and 99). However, if an attacker computes his keys in such a way that they are converted to the same integer (for example 34), all data are stored at the same location (at the index 34). The access time to these data is thus very large.

A posted HTTP form is used to send a lot of variables. For example: var1=a, var2=b, etc. Web servers store these variables in a hash table. However, if the attacker computes his keys (variable names) in such a way that they are all stored at the same place, he can overload the server.

Other features, such as a JSON parser or additional services, can also be used as an attack vector.

The following products are also impacted:
 - Apache APR (VIGILANCE-VUL-11380)
 - Apache Xerces-C++ (VIGILANCE-VUL-15082)
 - Apache Xerces Java (VIGILANCE-VUL-15083)
 - expat (VIGILANCE-VUL-11420)
 - Java Lightweight HTTP Server (VIGILANCE-VUL-11381)
 - Java Language (VIGILANCE-VUL-11715)
 - libxml2 (VIGILANCE-VUL-11384)
 - PHP (VIGILANCE-VUL-11379)
 - Python (VIGILANCE-VUL-11416)
 - Ruby (VIGILANCE-VUL-11382)
 - Tomcat (VIGILANCE-VUL-11383)

An attacker can therefore send data generating storage collisions, in order to overload a service.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2011-3192

Apache httpd: denial of service via Range or Request-Range

Synthesis of the vulnerability

An attacker can use several parallel queries using Range or Request-Range, in order to progressively use the available memory.
Impacted products: Apache httpd, CheckPoint Endpoint Security, IPSO, CheckPoint Security Gateway, CiscoWorks, Nexus by Cisco, NX-OS, Debian, BIG-IP Hardware, TMOS, Fedora, OpenView, OpenView NNM, HP-UX, Junos Space, Junos Space Network Management Platform, Mandriva Linux, ePO, OpenSolaris, openSUSE, Oracle AS, Oracle Fusion Middleware, Solaris, RHEL, Slackware, SLES.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 24/08/2011.
Revisions dates: 24/08/2011, 26/08/2011, 14/09/2011.
Identifiers: BID-49303, c02997184, c03011498, c03025215, CERTA-2011-AVI-493, cisco-sa-20110830-apache, CVE-2011-3192, DSA-2298-1, DSA-2298-2, FEDORA-2011-12715, HPSBMU02704, HPSBUX02702, HPSBUX02707, KB73310, MDVSA-2011:130, MDVSA-2011:130-1, openSUSE-SU-2011, openSUSE-SU-2011:0993-1, PSN-2013-02-846, RHSA-2011:1245-01, RHSA-2011:1294-01, RHSA-2011:1300-01, RHSA-2011:1329-01, RHSA-2011:1330-01, RHSA-2011:1369-01, sk65222, SSA:2011-252-01, SSRT100606, SSRT100619, SSRT100626, SUSE-SU-2011:1000-1, SUSE-SU-2011:1007-1, SUSE-SU-2011:1010-1, SUSE-SU-2011:1215-1, SUSE-SU-2011:1216-1, VIGILANCE-VUL-10944, VU#405811.

Description of the vulnerability

The Range header defined in the HTTP protocol indicates a byte range that server should return. For example, to obtain byte between 10 to 30 and 50 to 60:
  Range: bytes=10-30,50-60
The Request-Range header is the obsolete name of Range.

Apache processes the following objects:
 - bucket: an abstract storage area (memory, file, etc.).
 - brigade: a chained list of buckets

When Apache httpd receives a query containing the Range header, it stores each range in a brigade. However, if the range list is large, this brigade consumes a lot of memory.

An attacker can therefore use several parallel queries using Range or Request-Range, in order to progressively use the available memory.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2011-1827

Check Point Endpoint Security On-Demand: code execution via Deployment Agent

Synthesis of the vulnerability

A malicious web site can use the Deployment Agent, in order to execute code on victim's computer.
Impacted products: CheckPoint Endpoint Security, IPSO, SecurePlatform, CheckPoint VSX-1.
Severity: 3/4.
Consequences: user access/rights.
Provenance: internet server.
Creation date: 04/05/2011.
Identifiers: BID-47695, CVE-2011-1827, SEC Consult SA-20110810-0, sk62410, VIGILANCE-VUL-10618.

Description of the vulnerability

The following applications can be downloaded from a Security Gateway, in order to provide a SSL VPN On-Demand :
 - SSL Network Extender (SNX)
 - SecureWorkSpace
 - Endpoint Security On-Demand
They are deployed via the Check Point Deployment Agent ActiveX or Java applet.

However, this ActiveX/applet does not correctly check the origin of the deployment. A web site can thus convince the victim to install a malicious application.

A malicious web site can therefore use the Deployment Agent, in order to execute code on victim's computer.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about CheckPoint Endpoint Security: