Element Security Finds Critical RCE Flaw in Check Point Gateways

Element Security, a leader in Continuous Threat Exposure Management (CTEM), has uncovered a critical Remote Code Execution (RCE) vulnerability in Check Point Security Gateways, enabled through the exploitation of CVE-2021-40438. This discovery exposes significant risks for organizations relying on outdated or unpatched software versions.

Cyber Technology Insights: Commvault, CrowdStrike Partner to Boost Threat Detection

About the Vulnerability

“At Element Security, we redefine how organizations defend against threats through active testing and validation,” said Daniel Lublin, CEO of Element Security. “This discovery reflects our commitment to original research, delivering actionable insights to protect our customers.”

CVE-2021-40438 is a Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server’s mod_proxy module. This vulnerability can be exploited to redirect server requests to unintended destinations, potentially exposing sensitive data or allowing unauthorized access. Although Check Point addressed the issue in 2022, many systems remain vulnerable due to unpatched updates or reliance on end-of-life software.

Element Security researchers identified the RCE vulnerability during internal testing of a related flaw, CVE-2024-24919. By analyzing Check Point’s software, they discovered that an outdated version of Apache left gateways susceptible to CVE-2021-40438.

Escalating SSRF to RCE

The potential impact of this vulnerability extends far beyond a typical SSRF attack. Leveraging CVE-2021-40438, Element Security researchers identified a method to achieve Remote Code Execution (RCE) by modifying the original SSRF payload to interact directly with UNIX sockets.

• Gateway Configuration Exposure: By interacting with the /tmp/xdumps UNIX socket, attackers could use a simple HTTP request to dump the gateway configuration, which includes sensitive information such as user accounts and password hashes.
• Remote Code Execution: Further research revealed the /tmp/xsets UNIX socket, which utilized a proprietary binary protocol. By analyzing its communication patterns, they reverse-engineered the protocol and discovered its ability to modify gateway configuration parameters. Leveraging this insight, the researchers crafted a payload to reset the admin password, leading to a full system compromise.

Critical Lessons and Implications

This research highlights the critical risks associated with unpatched software and insecure inter-process communication (IPC) mechanisms. Organizations that have not updated their systems remain highly vulnerable, exposing themselves to potential exploitation, data breaches, and severe operational disruptions.

Element Security’s Commitment to Proactive Security

Element Security ensured its customers were the first to benefit from this discovery. Immediate testing and actionable mitigation advice were delivered through the Element Security platform, empowering clients to address the vulnerability proactively.

“At Element Security, we redefine how organizations defend against threats through active testing and validation,” said Daniel Lublin, CEO of Element Security. “This discovery reflects our commitment to original research, delivering actionable insights to protect our customers.”

Cyber Technology Insights: Compliance Scorecard Adds New Features to Its Service

To participate in our interviews, please write to our CyberTech Media Room at news@intentamplify.com

Source – Prweb