CVE-2023-28130 – CVE-2023-28130 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2023-28130?

CVE-2023-28130 has a CVSS score of 7.2 (HIGH). CVE-2023-28130 is a command injection vulnerability in Check Point Gaia Portal's hostnames page that allows authenticated local users to execute arbitrary commands with elevated privileges. This affects Check Point security gateways and management servers running vulnerable Gaia Portal versions. Successful exploitation leads to complete system compromise.

📋 TL;DR

CVE-2023-28130 is a command injection vulnerability in Check Point Gaia Portal's hostnames page that allows authenticated local users to execute arbitrary commands with elevated privileges. This affects Check Point security gateways and management servers running vulnerable Gaia Portal versions. Successful exploitation leads to complete system compromise.

💻 Affected Systems

Products:

Check Point Gaia Portal

Versions: R81.10 and earlier versions

Operating Systems: Check Point Gaia OS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both security gateways and management servers running vulnerable Gaia Portal versions. Requires authenticated access to the Gaia web interface.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with root privileges, enabling attacker to install persistent backdoors, exfiltrate sensitive data, pivot to internal networks, and disable security controls.

🟠

Likely Case

Privilege escalation to root leading to configuration manipulation, credential theft, and lateral movement within the security infrastructure.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege access, and command execution restrictions are implemented.

🌐 Internet-Facing: MEDIUM - Requires authenticated access but Gaia Portal may be exposed externally in some deployments.

🏢 Internal Only: HIGH - Local authenticated users can exploit this to gain root privileges on critical security infrastructure.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Multiple public exploit scripts and detailed technical analysis available. Requires authenticated access to Gaia Portal.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: R81.10 Jumbo Hotfix Accumulator Take 92 or later

Vendor Advisory: https://support.checkpoint.com/results/sk/sk181311

Restart Required: Yes

Instructions:

1. Download the latest Jumbo Hotfix Accumulator from Check Point support site. 2. Install via Gaia Portal or CLI. 3. Reboot the appliance as required.

🔧 Temporary Workarounds

Restrict Gaia Portal Access

all

Limit access to Gaia Portal to trusted management networks only

Configure firewall rules to restrict Gaia Portal access to specific IP addresses/networks

Disable Unused Gaia Portal Features

all

Disable hostnames page if not required

Remove or restrict access to the vulnerable hostnames functionality

🧯 If You Can't Patch

Implement strict network segmentation to isolate Gaia Portal from untrusted networks
Enforce least privilege access controls and monitor for suspicious command execution

🔍 How to Verify

Check if Vulnerable:

Check Gaia Portal version via CLI: 'clish -c "show version all"' and verify if running R81.10 without Jumbo Hotfix Accumulator Take 92 or later

Check Version:

clish -c "show version all" | grep "R81.10"

Verify Fix Applied:

Verify installed hotfix: 'clish -c "show installer packages"' and confirm Jumbo Hotfix Accumulator Take 92 or later is installed

📡 Detection & Monitoring

Log Indicators:

Unusual command execution via Gaia Portal
Multiple failed authentication attempts followed by successful login
Suspicious process execution from Gaia Portal context

Network Indicators:

Unexpected outbound connections from Gaia Portal appliance
Command and control traffic patterns

SIEM Query:

source="gaia_portal" AND (event_type="command_execution" OR cmd="*" AND user!="admin")

📊 Metadata

CVE ID: CVE-2023-28130

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: July 26, 2023

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/173918/Checkpoint-Gaia-Portal-R81.10-Remote-Command-Execution.html Third Party Advisory
http://seclists.org/fulldisclosure/2023/Aug/4 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2023/Jul/43 Not Applicable
https://pentests.nl/pentest-blog/cve-2023-28130-command-injection-in-check-point-gaia-portal/ Exploit,Third Party Advisory
https://support.checkpoint.com/results/sk/sk181311 Vendor Advisory
http://packetstormsecurity.com/files/173918/Checkpoint-Gaia-Portal-R81.10-Remote-Command-Execution.html Third Party Advisory
http://seclists.org/fulldisclosure/2023/Aug/4 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2023/Jul/43 Not Applicable
https://pentests.nl/pentest-blog/cve-2023-28130-command-injection-in-check-point-gaia-portal/ Exploit,Third Party Advisory
https://support.checkpoint.com/results/sk/sk181311 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28130, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Gaia Portal by Checkpoint

Gaia Portal by Checkpoint

Gaia Portal by Checkpoint

Gaia Portal by Checkpoint

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Gaia Portal Access

Disable Unused Gaia Portal Features

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities