CVE-2022-23743 – CVE-2022-23743 is a local privilege escalation ... (How to Fix)

Q: What is the severity of CVE-2022-23743?

CVE-2022-23743 has a CVSS score of 7.8 (HIGH). CVE-2022-23743 is a local privilege escalation vulnerability in Check Point ZoneAlarm security software. It allows a local attacker to execute arbitrary code with SYSTEM privileges by exploiting weak directory permissions during the upgrade process. This affects users running vulnerable versions of ZoneAlarm on Windows systems.

📋 TL;DR

CVE-2022-23743 is a local privilege escalation vulnerability in Check Point ZoneAlarm security software. It allows a local attacker to execute arbitrary code with SYSTEM privileges by exploiting weak directory permissions during the upgrade process. This affects users running vulnerable versions of ZoneAlarm on Windows systems.

💻 Affected Systems

Products:

Check Point ZoneAlarm Extreme Security

Versions: Versions before 15.8.200.19118 and before v15.8.211.192119

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires local access to the system. The vulnerability exists in both the upgrade process and weak directory permissions.

📦 What is this software?

Zonealarm by Checkpoint

View all CVEs affecting Zonealarm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise where an attacker gains SYSTEM privileges, enabling installation of persistent malware, credential theft, and full control over the affected system.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install additional malware, or access protected system resources.

🟢

If Mitigated

Limited impact if proper access controls and monitoring are in place, though local attackers could still attempt exploitation.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local access to the system.

🏢 Internal Only: HIGH - Internal attackers or malware with local execution can exploit this to gain SYSTEM privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access but is relatively straightforward once local execution is achieved.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 15.8.200.19118 and v15.8.211.192119

Vendor Advisory: https://www.zonealarm.com/software/extreme-security/release-history

Restart Required: Yes

Instructions:

1. Open ZoneAlarm Extreme Security. 2. Navigate to Settings > Update. 3. Click 'Check for Updates'. 4. Install available updates. 5. Restart the system when prompted.

🔧 Temporary Workarounds

Restrict ProgramData directory permissions

windows

Manually set restrictive permissions on the vulnerable directory to prevent unauthorized writes.

icacls "C:\ProgramData\CheckPoint\ZoneAlarm\Data\Updates" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" /grant:r "Administrators:(OI)(CI)F" /grant:r "Users:(OI)(CI)RX"

🧯 If You Can't Patch

Implement strict access controls to limit local user privileges and prevent unauthorized local execution.
Monitor for suspicious file writes in the ProgramData\CheckPoint\ZoneAlarm\Data\Updates directory and alert on unexpected SYSTEM privilege escalations.

🔍 How to Verify

Check if Vulnerable:

Check ZoneAlarm version in the application interface or via registry: HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\ZoneAlarm\Version

Check Version:

reg query "HKLM\SOFTWARE\CheckPoint\ZoneAlarm" /v Version

Verify Fix Applied:

Verify ZoneAlarm version is 15.8.200.19118 or higher, or v15.8.211.192119 or higher.

📡 Detection & Monitoring

Log Indicators:

Unexpected file writes to ProgramData\CheckPoint\ZoneAlarm\Data\Updates
Processes spawning with SYSTEM privileges from non-standard locations
ZoneAlarm upgrade process anomalies

Network Indicators:

None - this is a local privilege escalation

SIEM Query:

EventID=4688 AND NewProcessName="*\ProgramData\CheckPoint\ZoneAlarm\*" AND SubjectUserName!="SYSTEM"

📊 Metadata

CVE ID: CVE-2022-23743

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: May 11, 2022

Last Updated: November 21, 2024

🔗 References

https://www.zonealarm.com/software/extreme-security/release-history Release Notes,Vendor Advisory
https://www.zonealarm.com/software/extreme-security/release-history Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-23743, you might also want to check these: