CVE-2022-23742
📋 TL;DR
This vulnerability in Check Point Endpoint Security Client for Windows allows attackers to replace files copied for forensics reports with malicious content. Attackers could exploit this to execute arbitrary code or escalate privileges, particularly on systems with other unpatched vulnerabilities like CVE-2020-0896. Organizations using affected versions of Check Point Endpoint Security Client for Windows are at risk.
💻 Affected Systems
- Check Point Endpoint Security Client for Windows
📦 What is this software?
Endpoint Security by Checkpoint
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through arbitrary code execution leading to data theft, ransomware deployment, or complete endpoint takeover.
Likely Case
Privilege escalation allowing attackers to gain higher permissions on the system, potentially leading to lateral movement within the network.
If Mitigated
Limited impact with proper file permissions and monitoring in place, potentially only allowing file manipulation without code execution.
🎯 Exploit Status
Exploitation requires local access to the system and knowledge of the forensics reporting process. Attackers need to replace files at the right moment when they're being copied.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: E86.40 and later
Vendor Advisory: https://supportcontent.checkpoint.com/solutions?id=sk178665
Restart Required: Yes
Instructions:
1. Download the latest version (E86.40 or newer) from Check Point support portal. 2. Run the installer with administrative privileges. 3. Follow the installation wizard. 4. Restart the system when prompted.
🔧 Temporary Workarounds
Restrict file permissions on forensics directories
windowsSet strict access controls on directories used for forensics reporting to prevent unauthorized file modifications.
icacls "C:\Program Files\CheckPoint\Endpoint Security\Forensics\" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" /deny "Users:(OI)(CI)(DE,DC,WDAC,WO)"
🧯 If You Can't Patch
- Implement strict file integrity monitoring on forensics reporting directories
- Disable forensics reporting feature if not required for operations
🔍 How to Verify
Check if Vulnerable:
Check the installed version of Check Point Endpoint Security Client. If version is earlier than E86.40, the system is vulnerable.Check Version:
Open Check Point Endpoint Security Client, go to Help > About, or check registry key: HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Endpoint Security\VersionVerify Fix Applied:
Verify the installed version is E86.40 or later and that file permissions on forensics directories are properly restricted.📡 Detection & Monitoring
Log Indicators:
- Unauthorized file modifications in Check Point forensics directories
- Suspicious process creation from Check Point executables
- Failed attempts to access restricted forensics directories
Network Indicators:
- Unusual outbound connections from Check Point processes
- Lateral movement attempts following endpoint compromise
SIEM Query:
source="windows" AND (event_id=4663 OR event_id=4656) AND object_name="*CheckPoint*Forensics*" AND access_mask="0x2"