The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of CheckPoint ZoneAlarm Pro

vulnerability alert 18671

Windows: code execution during application installation

Synthesis of the vulnerability

An attacker can invite the victim to download malicious libraries on Windows, in order to run code during the installation of an application requiring these DLL.
Impacted products: 7-Zip, ZoneAlarm, FileZilla Server, GIMP, Chrome, Kaspersky AV, Windows 10, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows (platform) ~ not comprehensive, Windows RT, Windows Vista, Opera, Panda AV, Panda Internet Security, PuTTY, OfficeScan, TrueCrypt, VLC.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: document.
Creation date: 11/01/2016.
Identifiers: sk110055, VIGILANCE-VUL-18671.

Description of the vulnerability

When a user installs a new application on Windows, he downloads the installation program (install.exe for example), and then runs it.

However, several installation programs load DLL (for example graph.dll) from the current directory. So, if an attacker invited the victim to download a malicious graph.dll file, before he runs install.exe from the Download directory, the code located in the DLL is run.

See also the bulletin VIGILANCE-VUL-19558 for other impacted products.

An attacker can therefore invite the victim to download malicious libraries on Windows, in order to run code during the installation of an application requiring these DLL.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 11064

Check Point UTM-1: vulnerabilities of WebUI

Synthesis of the vulnerability

An attacker can use several vulnerabilities of the WebUI interface of UTM-1 Edge and Safe@Office.
Impacted products: CheckPoint UTM-1 Appliance, ZoneAlarm.
Severity: 2/4.
Consequences: client access/rights, data reading.
Provenance: document.
Number of vulnerabilities in this bulletin: 4.
Creation date: 17/10/2011.
Revision date: 02/11/2012.
Identifiers: BID-50189, PR11-07, sk65460, VIGILANCE-VUL-11064.

Description of the vulnerability

The WebUI interface of Check Point UTM-1 Edge and Safe@Office are used to administer the appliance. Several vulnerabilities were announced in WebUI.

An attacker can generate several Cross Site Scripting. [severity:2/4]

An attacker can generate several Cross Site Request Forgery. [severity:2/4]

An attacker can generate a web redirect. [severity:1/4]

An unauthenticated attacker can obtain information. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2007-5042 CVE-2007-5044 CVE-2007-5047

Norton Internet Security, Outpost, ZoneAlarm: corruption via SSDT hooking

Synthesis of the vulnerability

A local attacker can create a denial of service or corrupt memory of some software incorrectly implementing SSDT hooking.
Impacted products: Outpost Firewall, ZoneAlarm, Norton Internet Security.
Severity: 1/4.
Consequences: administrator access/rights, denial of service on server.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 3.
Creation date: 19/09/2007.
Identifiers: CVE-2007-5042, CVE-2007-5044, CVE-2007-5047, VIGILANCE-VUL-7177.

Description of the vulnerability

The SSDT table (System Service Descriptor Table) contains references on system calls:
 - NtCreateKey : create a key in registry
 - NtCreateThread : create a thread
 - NtDeleteFile : delete a file
 - etc.

Security software hooks entries in this table to point to specific functions. However, these functions do not correctly check their parameters. A local attacker can thus use malicious attributes in order to generate an error.

This vulnerability leads to a denial of service, and eventually to code execution.

Following software have been identified as vulnerable:
 - BlackICE PC Protection 3.6.cqn
 - G DATA InternetSecurity 2007
 - Ghost Security Suite beta 1.110 and alpha 1.200
 - Kaspersky Internet Security 7.0.0.125
 - Norton Internet Security 2008 15.0.0.60
 - Online Armor Personal Firewall 2.0.1.215
 - Outpost Firewall Pro 4.0.1025.7828
 - Privatefirewall 5.0.14.2
 - Process Monitor 1.22
 - ProcessGuard 3.410
 - ProSecurity 1.40 Beta 2
 - RegMon 7.04
 - ZoneAlarm Pro 7.0.362.000

These vulnerabilities are different from VIGILANCE-VUL-6271, VIGILANCE-VUL-6704 and VIGILANCE-VUL-6742.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2005-2932 CVE-2007-4216

ZoneAlarm: two vulnerabilities

Synthesis of the vulnerability

A local attacker can use two vulnerabilities in order to generate a denial of service or to execute code.
Impacted products: ZoneAlarm.
Severity: 2/4.
Consequences: administrator access/rights, denial of service on server, denial of service on service.
Provenance: user account.
Number of vulnerabilities in this bulletin: 2.
Creation date: 21/08/2007.
Identifiers: BID-25365, BID-25377, CERTA-2007-AVI-370, CVE-2005-2932, CVE-2007-4216, VIGILANCE-VUL-7111.

Description of the vulnerability

Two ZoneAlarm vulnerabilities can be used by a local attacker.

ACL on installed files are too permissive. A local attacker can replace programs in order to execute code with privileges of system. [severity:2/4; CERTA-2007-AVI-370, CVE-2005-2932]

The vsdatant.sys driver does not check addresses indicated in IOCTL 0x8400000F and 0x84000013. A local attacker can therefore force it to corrupt memory. [severity:2/4; CVE-2007-4216]

These vulnerabilities therefore permit a local attacker to generate a denial of service or to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2007-2467

ZoneAlarm: memory corruption of vsdatant

Synthesis of the vulnerability

A local attacker can corrupt system memory via the vsdatant driver.
Impacted products: ZoneAlarm.
Severity: 2/4.
Consequences: administrator access/rights, denial of service on server.
Provenance: user shell.
Creation date: 02/05/2007.
Identifiers: BID-23733, CVE-2007-2467, VIGILANCE-VUL-6779.

Description of the vulnerability

The \Device\vsdatant driver is used by Zone Alarm Non Plug and Play Device.

This driver does not check parameters it receives at address 0x8400002B, which corrupts its memory.

This error permits a local attacker to generate a denial of service and eventually to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2007-2174

ZoneAlarm: memory corruption of srescan.sys

Synthesis of the vulnerability

A local attacker can use two IOCTL in order to corrupt memory via the srescan.sys driver.
Impacted products: ZoneAlarm.
Severity: 2/4.
Consequences: administrator access/rights, denial of service on server.
Provenance: user shell.
Creation date: 23/04/2007.
Revision date: 24/04/2007.
Identifiers: BID-23579, CVE-2007-2174, VIGILANCE-VUL-6757.

Description of the vulnerability

The srescan.sys driver is used by ZoneAlarm Spyware Removal Engine (SRE).

This driver does not check parameters of two of its IOCTL:
 - 0x22208F : attacker can write in memory the value 0x00030000
 - 0x22208F : attacker can write in memory the content of a buffer from ZwQuerySystemInformation()

These errors permit a local attacker to generate a denial of service and eventually to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2007-2083

ZoneAlarm: memory corruption via NtCreateKey and NtDeleteFile

Synthesis of the vulnerability

A local attacker can use NtCreateKey() and NtDeleteFile() functions in order to generate a denial of service, and eventually to execute code.
Impacted products: ZoneAlarm.
Severity: 1/4.
Consequences: privileged access/rights, denial of service on server.
Provenance: user shell.
Creation date: 16/04/2007.
Identifiers: BID-23494, CVE-2007-2083, VIGILANCE-VUL-6742.

Description of the vulnerability

The SSDT table (System Service Descriptor Table) contains references on system calls:
 - NtCreateKey : create a key in registry
 - NtCreateThread : create a thread
 - NtDeleteFile : delete a file
 - etc.

ZoneAlarm hooks entries in this table to point to specific functions. However, these functions do not correctly check object attributes (OBJECT_ATTRIBUTES parameter). A local attacker can thus use malicious attributes in order to generate an error.

This vulnerability leads to a denial of service, and eventually to code execution.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2006-3540

ZoneAlarm: denial of service via VETFDDNT\Enum

Synthesis of the vulnerability

A local attacker can generate a denial of service during access to registery.
Impacted products: CA Antivirus, ZoneAlarm, e-Trust Antivirus.
Severity: 1/4.
Consequences: denial of service on service.
Provenance: user shell.
Creation date: 04/07/2006.
Identifiers: Advisory 2006-07-01.01, BID-18789, CVE-2006-3540, VIGILANCE-VUL-5978.

Description of the vulnerability

The ZoneAlarm Internet Security Suite product is affected by a local vulnerability. This vulnerability may also affect the Computer Associates eTrust antivirus, integrated to this product. The ZoneAlarm Free/Pro product seems to be unaffected.

The RegSaveKey, RegRestoreKey and RegDeleteKey methods save, restore and delete a key from Windows' registry.

The HKLM\SYSTEM\CurrentControlSet\Services\VETFDDNT\Enum key of registry is used by the antivirus. A local attacker can use RegSaveKey, RegRestoreKey and RegDeleteKey to interact with its driver in order to stop it.

This vulnerability therefore permits a local attacker to generate a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2006-1221

ZoneAlarm: privilege elevation with TrueVector

Synthesis of the vulnerability

A local attacker can elevate his privileges by forcing TrueVector to load a malicious DLL.
Impacted products: ZoneAlarm.
Severity: 1/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 09/03/2006.
Revision date: 10/03/2006.
Identifiers: BID-17037, CVE-2006-1221, VIGILANCE-VUL-5678.

Description of the vulnerability

The TrueVector service is used by most Zone Labs products. This service is run under Local System account.

When it starts, it tries to load following libraries:
 - VSUTIL_Loc0409_Oem8701.dll, VSUTIL_Oem8701.dll, VSUTIL_Loc0409.dll,
 - vsmon_Loc0409_Oem8701.dll, vsmon_Oem8701.dll, vsmon_Loc0409.dll
 - VSRULEDB_Loc0409_Oem8701.dll, VSRULEDB_Oem8701.dll, VSRULEDB_Loc0409.dll
 - av_Loc0409_Oem8701.dll, av_Oem8701.dll, av_Loc0409.dll
 - zlquarantine_Loc0409_Oem8701.dll, zlquarantine_Oem8701.dll, zlquarantine_Loc0409.dll
 - zlsre_Loc0409_Oem8701.dll, zlsre_Oem8701.dll, zlsre_Loc0409.dll
However, the full path of the DLL are not specified.

Thus, if an attacker can store a DLL in one of the directories of the path, code it contains will be executed with Local System rights.

This vulnerability therefore permits a local attacker to increase his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2005-3560

ZoneAlarm: bypassing "OS Firewall"

Synthesis of the vulnerability

A local attacker can use ShowHTMLDialog() method to send data to a remote server, without detection by "OS Firewall" technology.
Impacted products: ZoneAlarm.
Severity: 1/4.
Consequences: data flow.
Provenance: user console.
Creation date: 08/11/2005.
Identifiers: BID-15347, CVE-2005-3560, VIGILANCE-VUL-5342.

Description of the vulnerability

The "OS Firewall" technology analyzes behavior of programs, and can forbid a program to send data to a remote computer. It blocks malicious programs such as viruses, backdoors or worms.

The mshtml.dll DLL provides ShowHTMLDialog() method. This method opens an HTML page. This HTML page can for example contain a Javascript program sending data to a remote web site.

However, "OS Firewall" does not detect this type of connection, and it allows program to send sensitive data to a remote server.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about CheckPoint ZoneAlarm Pro: