Vulnerabilities

DLL Hijacking Flaw Patched in Check Point Endpoint Security

Researchers at SafeBreach discovered that Check Point’s Endpoint Security product is affected by a DLL hijacking vulnerability that can be exploited for privilege escalation and other purposes.

Eduard Kovacs

August 28, 2019

Researchers at SafeBreach discovered that Check Point’s Endpoint Security product is affected by a DLL hijacking vulnerability that can be exploited for privilege escalation and other purposes.

In an advisory published this week, Check Point has confirmed that the flaw, tracked as CVE-2019-8461, impacts versions of the Endpoint Security Initial Client for Windows prior to E81.30, which patches the vulnerability.

In a blog post published on Tuesday, SafeBreach explained that the vulnerability impacts the Check Point Device Auxiliary Framework Service (IDAFServerHostService.exe). This service, which is executed automatically with SYSTEM privileges when the computer starts, attempts to load a library file named atl110.dll (ATL Module for Windows) from various folders listed in the PATH environment variable.

An attacker who has access to a system running Check Point Endpoint Security could place a malicious file named atl110.dll in one of these folders and it would get executed when the application starts. An attacker with administrative privileges can add their own folder to the PATH environment variable, while an attacker with more limited privileges could try to find an existing folder to which they have permission to add the malicious DLL.

By getting the Check Point software to load the malicious file with SYSTEM privileges, an attacker could escalate permissions to SYSTEM, they could use this as a persistence mechanism for their malware, or they could use it to bypass application whitelisting considering that the payload is executed by a signed service.

The vulnerability was reported to Check Point on August 1 and it was patched on August 26.

DLL hijacking vulnerabilities are not uncommon, even in software made by cybersecurity firms. SafeBreach recently found very similar flaws in products from Trend Micro and Bitdefender.

Between 2016 and 2018, researcher Stefan Kanthak identified DLL hijacking vulnerabilities in installers for many popular pieces of software, including cybersecurity products.

Advertisement. Scroll to continue reading.

Written By Eduard Kovacs

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Latest News

Click to comment

CIEM Chat: How to Reduce Cloud Identity Risk

March 26, 2024

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Virtual Event: Ransomware Resilience & Recovery Summit

April 17, 2024

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Navigating Vendor Speak: A Security Practitioner’s Guide to Seeing Through the Jargon

As a security industry, we need to focus our energies on those professionals among us who know how to walk the walk. (Joshua Goldfarb)

SD-WAN: Don’t Build a Dead End, Prepare for Future-Proof Secure Networking

SD-WAN must be scalable, stable, secure, and fully operational to serve as a strong base for seamless modernization and progression to SASE. (Etay Maor)

You Against the World: The Offenders Dilemma

Foreign attackers have many more toolsets at their disposal, so we need to make sure we’re selective about our modeling, preparation and how we assess and fortify ourselves. (Tom Eston)

Why Intelligence Sharing Is Vital to Building a Robust Collective Cyber Defense Program

With automated, detailed, contextualized threat intelligence, organizations can better anticipate malicious activity and utilize intelligence to speed detection around proven attacks. (Marc Solomon)

Know Your Audience When Speaking to Security Practitioners

How can security practitioners make sense of the vendor landscape and separate those who talk a good game from those who can execute, perform, and solve real problems for enterprises? (Joshua Goldfarb)

Vulnerabilities

Full Disclosure List Gets a Fresh Start – Reborn Under New Operator

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

SecurityWeek NewsMarch 26, 2014

Data Breaches

ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Eduard KovacsMarch 28, 2023

IoT Security

16 Car Makers and Their Vehicles Hacked via Telematics, APIs, Infrastructure

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Ionut ArghireJanuary 5, 2023

Vulnerabilities

Burglars Can Easily Disable SimpliSafe Alarms: Researcher

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Eduard KovacsFebruary 18, 2016

Risk Management

Cyber Insights 2023 | Supply Chain Security

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Kevin TownsendFebruary 2, 2023

Cybercrime

Microsoft Warns of Office Zero-Day Attacks, No Patch Available

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Ryan NaraineJuly 11, 2023

Vulnerabilities

Microsoft Warns of Outlook Zero-Day Exploitation, Patches 80 Security Vulns

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Ryan NaraineMarch 14, 2023

IoT Security

Vulnerability Allows Hackers to Remotely Tamper With Dahua Security Cameras

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

Eduard KovacsFebruary 9, 2023

SECURITYWEEK NETWORK:

ICS:

SecurityWeek

Vulnerabilities

DLL Hijacking Flaw Patched in Check Point Endpoint Security

More from Eduard Kovacs

Latest News

Trending

CIEM Chat: How to Reduce Cloud Identity Risk

Virtual Event: Ransomware Resilience & Recovery Summit

People on the Move

Expert Insights

Navigating Vendor Speak: A Security Practitioner’s Guide to Seeing Through the Jargon

SD-WAN: Don’t Build a Dead End, Prepare for Future-Proof Secure Networking

You Against the World: The Offenders Dilemma

Why Intelligence Sharing Is Vital to Building a Robust Collective Cyber Defense Program

Know Your Audience When Speaking to Security Practitioners

Related Content

Vulnerabilities

Full Disclosure List Gets a Fresh Start – Reborn Under New Operator

Data Breaches

ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation

IoT Security

16 Car Makers and Their Vehicles Hacked via Telematics, APIs, Infrastructure

Vulnerabilities

Burglars Can Easily Disable SimpliSafe Alarms: Researcher

Risk Management

Cyber Insights 2023 | Supply Chain Security

Cybercrime

Microsoft Warns of Office Zero-Day Attacks, No Patch Available

Vulnerabilities

Microsoft Warns of Outlook Zero-Day Exploitation, Patches 80 Security Vulns

IoT Security

Vulnerability Allows Hackers to Remotely Tamper With Dahua Security Cameras

SECURITYWEEK NETWORK:

ICS:

More from Eduard Kovacs

Latest News

Trending

Daily Briefing Newsletter

CIEM Chat: How to Reduce Cloud Identity Risk

Virtual Event: Ransomware Resilience & Recovery Summit

People on the Move

Expert Insights

Navigating Vendor Speak: A Security Practitioner’s Guide to Seeing Through the Jargon

SD-WAN: Don’t Build a Dead End, Prepare for Future-Proof Secure Networking

You Against the World: The Offenders Dilemma

Why Intelligence Sharing Is Vital to Building a Robust Collective Cyber Defense Program

Know Your Audience When Speaking to Security Practitioners

Related Content

Vulnerabilities

Full Disclosure List Gets a Fresh Start – Reborn Under New Operator

Data Breaches

ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation

IoT Security

16 Car Makers and Their Vehicles Hacked via Telematics, APIs, Infrastructure

Vulnerabilities

Burglars Can Easily Disable SimpliSafe Alarms: Researcher

Risk Management

Cyber Insights 2023 | Supply Chain Security

Cybercrime

Microsoft Warns of Office Zero-Day Attacks, No Patch Available

Vulnerabilities

Microsoft Warns of Outlook Zero-Day Exploitation, Patches 80 Security Vulns

IoT Security

Vulnerability Allows Hackers to Remotely Tamper With Dahua Security Cameras