Check Point Software Technologies has recently fixed a critical security vulnerability in their antivirus software ZoneAlarm. As pointed out by the researcher, a potential attacker could exploit the vulnerability to gain elevated privileges on the target device and perform a remote code execution.
ZoneAlarm Local Privilege Escalation Vulnerability
Reportedly, a researcher from cybersecurity firm Illumant has revealed a security flaw in ZoneAlarm antivirus software. The vulnerability could let an attacker gain escalated user privileges on the target machine. Exploiting the bug could allow an attacker to inject and execute arbitrary code.
According to the details revealed in their report, the flaw existed because of “insecure implementation of inter-process communications” in the app.
“The vulnerability is due to insecure implementation of inter-process communications within the ZoneAlarm application itself, which allows a low-privilege user to inject and execute code by hijacking the insecure communications with a vulnerable .NET service.”
Since the exposed WCF executed at SYSTEM-level, exploiting it could make a local attacker execute codes at the SYSTEM-level and gain access to the target machine.
Besides, elaborating the technical details and the exploit, Illuminati has also demonstrated the exploit in a video.
Check Point Released Patched Version
As explained, the researchers duly reported the vulnerability to Check Point, who described,
“SBACipollaSrvHost exposes WCF service to low privilege users which can be leveraged to execute arbitrary code as SYSTEM.”
Illuminati confirmed that the vendors responded promptly to their report, making the disclosure easy. After the patch, the vendors approached Illuminati again to validate the fix. Explaining about the patch, they state,
“Their approach was simple and effectively made it impossible to reach the ExecuteInstaller method over WCF. Rather than try to make it difficult for unauthorized clients to interact with the service, it’s safer to simply not expose sensitive functionality over WCF.”
Check Point has also acknowledged the researcher for finding the vulnerability. They have rolled out the ZoneAlarm® Free Firewall version 15.4.062.17802 with the fix.