CVE-2021-30359
📋 TL;DR
This vulnerability allows attackers to escalate privileges by exploiting the MSI installer repair function in Checkpoint Harmony Browse and SandBlast Agent for Browsers. An attacker can place a malicious binary in the repair folder that executes with admin privileges. This affects users running vulnerable versions of these products on Windows systems.
💻 Affected Systems
- Checkpoint Harmony Browse
- Checkpoint SandBlast Agent for Browsers
📦 What is this software?
Harmony Browse by Checkpoint
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with administrative privileges, allowing installation of persistent malware, data theft, or lateral movement across the network.
Likely Case
Local privilege escalation leading to administrative control over the affected system, enabling further malicious activities.
If Mitigated
Limited impact with proper user privilege restrictions and updated software, preventing successful exploitation.
🎯 Exploit Status
Exploitation requires local user access and knowledge of the repair folder location. Public disclosure includes technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 90.08.7405 and later
Vendor Advisory: https://supportcontent.checkpoint.com/solutions?id=sk175968
Restart Required: Yes
Instructions:
1. Download latest version from Checkpoint support portal. 2. Uninstall current vulnerable version. 3. Install updated version 90.08.7405 or later. 4. Restart system.
🔧 Temporary Workarounds
Restrict MSI Repair Permissions
windowsModify Windows permissions to prevent standard users from initiating MSI repair operations
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "DisableUserInstalls" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "AlwaysInstallElevated" /t REG_DWORD /d 0 /f
Remove Vulnerable Software
windowsUninstall affected software if not required
msiexec /x {ProductCode} /qn
wmic product where "name like '%Harmony Browse%' or name like '%SandBlast Agent%'" call uninstall /nointeractive
🧯 If You Can't Patch
- Implement least privilege principle - ensure users operate with standard user accounts, not administrative accounts
- Monitor for suspicious MSI repair activities and file creation in installer directories using endpoint detection tools
🔍 How to Verify
Check if Vulnerable:
Check installed version of Harmony Browse or SandBlast Agent via Control Panel > Programs and Features, or run: wmic product where "name like '%Harmony Browse%' or name like '%SandBlast Agent%'" get name,versionCheck Version:
wmic product where "name like '%Harmony Browse%' or name like '%SandBlast Agent%'" get name,versionVerify Fix Applied:
Confirm version is 90.08.7405 or higher using same version check command📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs: MSI installer repair events (Event ID 11724, 11728)
- Security logs: Unexpected privilege escalation attempts
- Application logs: Unusual file creation in MSI repair directories
Network Indicators:
- No specific network indicators - this is a local privilege escalation
SIEM Query:
EventID=11724 OR EventID=11728 | where ProcessName contains "msiexec" | where CommandLine contains "repair" | where User not in ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")🔗 References
- https://github.com/mandiant/Vulnerability-Disclosures/blob/master/MNDT-2021-0007/MNDT-2021-0007.md
- https://supportcontent.checkpoint.com/solutions?id=sk175968
- https://github.com/mandiant/Vulnerability-Disclosures/blob/master/MNDT-2021-0007/MNDT-2021-0007.md
- https://supportcontent.checkpoint.com/solutions?id=sk175968
