CVE-2019-8459
📋 TL;DR
This vulnerability allows local attackers to execute arbitrary code with SYSTEM privileges by exploiting unquoted service paths in Check Point Endpoint Security Client for Windows. It affects Windows systems running Check Point VPN client versions before E80.83. Attackers can place malicious executables in paths that get executed instead of legitimate system files.
💻 Affected Systems
- Check Point Endpoint Security Client for Windows
📦 What is this software?
Capsule Docs Standalone Client by Checkpoint
Endpoint Security Server Package by Checkpoint
Jumbo Hotfix For Endpoint Security Server by Checkpoint
View all CVEs affecting Jumbo Hotfix For Endpoint Security Server →
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges, allowing complete control over the endpoint, data theft, and lateral movement within the network.
Likely Case
Local privilege escalation leading to persistence, credential theft, and installation of additional malware on the compromised system.
If Mitigated
Limited impact if proper endpoint security controls detect unauthorized file creation in system directories and block unapproved process execution.
🎯 Exploit Status
Exploitation requires local access to the system and ability to write to directories in the service path. The technique is well-known and documented for unquoted service path vulnerabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: E80.83 and later
Vendor Advisory: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk124972
Restart Required: Yes
Instructions:
1. Download Check Point Endpoint Security Client version E80.83 or later from official sources. 2. Install the update following vendor instructions. 3. Restart the system to ensure the updated service is running.
🔧 Temporary Workarounds
Add quotes to service path
windowsManually add quotes around the service executable path in the Windows registry
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Check Point Endpoint Security VPN" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\CheckPoint\Endpoint Security\Endpoint Common\bin\vpn.exe\"" /f
Restrict directory permissions
windowsSet strict ACLs on directories in the service path to prevent unauthorized file creation
icacls "C:\Program Files\CheckPoint\Endpoint Security\Endpoint Common\bin" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" "Users:(OI)(CI)RX"
🧯 If You Can't Patch
- Implement strict file integrity monitoring on system directories to detect unauthorized executable creation
- Use application whitelisting to prevent execution of unauthorized binaries from system paths
🔍 How to Verify
Check if Vulnerable:
Check if the ImagePath registry value for 'Check Point Endpoint Security VPN' service lacks quotes around the executable pathCheck Version:
sc query "Check Point Endpoint Security VPN" | findstr "BINARY_PATH_NAME"Verify Fix Applied:
Verify the ImagePath registry value has quotes around the full executable path and the service version is E80.83 or higher📡 Detection & Monitoring
Log Indicators:
- Unexpected process creation from Check Point directories
- File creation events in system directories by non-admin users
- Windows Event ID 4688 with unusual parent-child process relationships
Network Indicators:
- Unusual outbound connections from Check Point processes
- DNS queries for command and control domains from system processes
SIEM Query:
source="windows_security" EventID=4688 AND (NewProcessName="*CheckPoint*" OR NewProcessName="*vpn*") AND ParentProcessName!="services.exe"