Vulnerabilities > CVE-2011-1827 - Remote Code Execution vulnerability in Multiple Check Point SSL VPN On-Demand Applications
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Multiple unspecified vulnerabilities in Check Point SSL Network Extender (SNX), SecureWorkSpace, and Endpoint Security On-Demand, as distributed by SecurePlatform, IPSO6, Connectra, and VSX, allow remote attackers to execute arbitrary code via vectors involving a (1) ActiveX control or (2) Java applet.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 8 |
Nessus
NASL family Windows NASL id SMB_KB_2562937.NASL description The remote Windows host is missing a list of kill bits for ActiveX controls that are known to contain vulnerabilities. If these ActiveX controls are ever installed on the remote host, either now or in the future, they would expose it to various security issues. Note that the affected controls are from third-party vendors that have asked Microsoft to prevent their controls from being run in Internet Explorer. last seen 2020-06-01 modified 2020-06-02 plugin id 55802 published 2011-08-10 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55802 title MS 2562937: Update Rollup for ActiveX Kill Bits (2562937) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(55802); script_version("1.16"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id("CVE-2011-0331", "CVE-2011-1207", "CVE-2011-1827"); script_bugtraq_id(46930, 47643, 47695); script_xref(name:"ICS-ALERT", value:"11-103-01A"); script_xref(name:"MSKB", value:"2562937"); script_name(english:"MS 2562937: Update Rollup for ActiveX Kill Bits (2562937)"); script_summary(english:"Checks if kill bits have been set"); script_set_attribute( attribute:"synopsis", value: "The remote Windows host is missing an update that disables selected ActiveX controls." ); script_set_attribute( attribute:"description", value: "The remote Windows host is missing a list of kill bits for ActiveX controls that are known to contain vulnerabilities. If these ActiveX controls are ever installed on the remote host, either now or in the future, they would expose it to various security issues. Note that the affected controls are from third-party vendors that have asked Microsoft to prevent their controls from being run in Internet Explorer." ); script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/2562937/microsoft-security-advisory-update-rollup-for-activex-kill-bits"); script_set_attribute( attribute:"solution", value: "Microsoft has released a set of patches for Windows XP, 2003, Vista, 2008, 7, and 2008 R2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:ND/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/03/31"); script_set_attribute(attribute:"patch_publication_date", value:"2011/08/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/08/10"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe",value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl"); script_require_keys("SMB/Registry/Enumerated", "SMB/WindowsVersion"); script_require_ports(139, 445); exit(0); } include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_activex_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp(xp:4, win2003:3, vista:3, win7:2) <= 0) exit(0, "The host is not affected based on its version / service pack."); if (hotfix_check_server_core() == 1) exit(0, "Windows Server Core installs are not affected."); if (activex_init() != ACX_OK) exit(1, "Unable to initialize the ActiveX API."); # Test each control. info = ""; clsids = make_list( '{B4CB50E4-0309-4906-86EA-10B6641C8392}', # CheckPoint SSL VPN On-Demand '{E4F874A0-56ED-11D0-9C43-00A0C90F29FC}', # ActBar '{FB7FE605-A832-11D1-88A8-0000E8D220A6}' # EBI R Web Toolkit ); foreach clsid (clsids) { if (activex_get_killbit(clsid:clsid) == 0) { info += ' ' + clsid + '\n'; if (!thorough_tests) break; } } activex_end(); if (info) { if (report_verbosity > 0) { if (max_index(split(info)) > 1) s = "s"; else s = ""; report = '\nThe kill bit has not been set for the following control'+s+' :\n\n'+ info; if (!thorough_tests) { report += '\nNote that Nessus did not check whether there were other kill bits\n'+ 'that have not been set because the "Perform thorough tests" setting\n'+ 'was not enabled when this scan was run.\n'; } hotfix_add_report(report); } else hotfix_add_report(); hotfix_security_warning(); } else exit(0, "The host is not affected.");NASL family Windows NASL id CHECKPOINT_SNX_ACTIVEX_CODE_EXEC.NASL description The version of the Check Point SSL Network Extender ActiveX control installed on the remote Windows host reportedly contains a remote code execution vulnerability. If an attacker can trick a user on the affected host into viewing a specially crafted HTML document, he can leverage this issue to execute arbitrary code on the affected system subject to the user last seen 2020-06-01 modified 2020-06-02 plugin id 55994 published 2011-08-25 reporter This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/55994 title Check Point SSL Network Extender ActiveX Control Remote Code Execution
Seebug
| bulletinFamily | exploit |
| description | Bugtraq ID: 47695 CVE ID:CVE-2011-1827 SNX SecureWorkSpace和Endpoint Security On-Demand可从Connectra或security gateways下载的客户端,可实现按需远程连接。它们可使用Check Point Deployment Agent Java applet或ActiveX控件配置在浏览中。 应用程序SSL网络扩展器(SNX), SecureWorkSpace和Endpoint Security On-Demand通过浏览器配置时,容易受到恶意网站的攻击,导致在末端用户机器上执行任意恶意代码。 此漏洞不影响Check Point安全网关 Check Point Software VSX R67 Check Point Software VSX R65.20 Check Point Software SecurePlatform R75 Check Point Software SecurePlatform R75 Check Point Software SecurePlatform R71.30 Check Point Software SecurePlatform R70.40 Check Point Software SecurePlatform R70.40 Check Point Software SecurePlatform R65.70 Check Point Software IPSO6 R75 Check Point Software IPSO6 R71.30 Check Point Software IPSO6 R70.40 Check Point Software IPSO6 R65.70 Check Point Software Connectra R66.1n Check Point Software Connectra R66.1 用户可参考如下供应商提供的安全公告获得补丁信息: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk62410 |
| id | SSV:20508 |
| last seen | 2017-11-19 |
| modified | 2011-05-04 |
| published | 2011-05-04 |
| reporter | Root |
| title | Check Point SSL VPN On-Demand应用程序远程代码执行漏洞 |