Security Experts:

Connect with us

Hi, what are you looking for?



Check Point ZoneAlarm Flaw Allows Privilege Escalation

A vulnerability in Check Point’s popular ZoneAlarm antivirus and firewall allows attackers to escalate their privileges on a system running the security software. The vendor has released an update that should address the flaw.

A vulnerability in Check Point’s popular ZoneAlarm antivirus and firewall allows attackers to escalate their privileges on a system running the security software. The vendor has released an update that should address the flaw.

The issue was discovered last year by Illumant, a company that provides security assessment and compliance solutions. The firm said the vulnerability exists due to the way the application’s developers used Microsoft’s Windows Communication Foundation (WCF) framework. Since WCF was initially codenamed “Indigo,” Illumant has dubbed the vulnerability “OwnDigo.”

Illumant’s findings are based on previous research by Fabius Artrel on privilege escalation and code execution vulnerabilities in applications that use .NET-based WCF services, and research by Matt Graeber on code-signing attacks.

According to Illumant, the vulnerability allows an attacker with limited access to the targeted device to execute arbitrary commands with SYSTEM privileges by abusing a vulnerable ZoneAlarm service. This can be leveraged to add a low-privileged user account to the administrators group.

However, an attack can only be conducted if the attacker’s exploit and payload files are or appear to be signed by Check Point. In order to achieve this, Illumant researchers created a fake code-signing certificate that impersonates Check Point – a user with limited privileges can do this – and installed it on the targeted system. The certificate was then used to sign the exploit and payload code, which could then be executed to elevate privileges.

Illumant recently published a blog post containing technical details and a video showing an overview of the attack.

The company praised Check Point for the way it handled the vulnerability report. The vendor patched the security bug in October with the release of ZoneAlarm Free Antivirus + Firewall version

Check Point’s security acknowledgements page shows that only a handful of issues were discovered in ZoneAlarm in the past couple of years.

While Illumant demonstrated the attack against ZoneAlarm, the company warns that this is a new class of vulnerabilities that could impact any .NET application using WCF. It has advised software developers to assess their own apps and WCF implementations to ensure that they are not impacted.

Related: Antivirus Quarantine Flaws Allow Privilege Escalation

Related: Google Researcher Finds Certificate Flaws in Kaspersky Products

Related: Sophos Patches Privilege Escalation Flaws in SafeGuard Products

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet