CVE-2024-24912 ‒ Local Privilege escalation in Check Point Harmony
Description
Check Point Harmony is a security product that protects endpoints from malware and detects attacks.
The fixed vulnerability enabled attackers with existing access to a system to elevate their privileges to SYSTEM.
Vulnerability
The vulnerability abused a trust relationship between frontend processes running in the context of an unprivileged user and privileged backend processes running as SYSTEM.
It was possible to abuse COM hijacking to inject a DLL into the frontend process of Check Point Harmony.
More specifically, this was possible by hijacking the interface with the GUID {9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}, which originally loads the dataexchange.dll file.
The frontend process has a trust relationship with the backend processes of Check Point Harmony, which run as a SYSTEM.
One command that could be issued by the front end allowed attackers to download a file from an arbitrary URL to an arbitrary location on the local system.
Using the DLL attackers could potentially inject via COM hijacking, they could issue this command to download a custom file.
Attackers could use the download to place a DLL file on the system and gain SYSTEM privileges.
Mitigations
Install a current version of Check Point Harmony. The vulnerability was fixed in version E88.20.
Timeline
| Date | Action |
|---|---|
| 04.01.2024 | Vendor was contacted and informed about the vulnerability |
| 04.01.2024 | Initial response from vendor |
| 26.02.2024 | Vendor informs us that a fix is available for testing |
| 01.03.2024 | Confirmed to the vendor that the exploit was no longer possible |
| 01.05.2024 | Vendor released advisory |