Element Security, a leader in Continuous Threat Exposure Management (CTEM), has uncovered a critical Remote Code Execution (RCE) vulnerability in Check Point Security Gateways, enabled through the exploitation of CVE-2021-40438. This discovery exposes significant risks for organizations relying on outdated or unpatched software versions.
TEL AVIV, Israel, Jan. 27, 2025 /PRNewswire-PRWeb/ -- Element Security, a leader in Continuous Threat Exposure Management (CTEM), has uncovered a critical Remote Code Execution (RCE) vulnerability in Check Point Security Gateways, enabled through the exploitation of CVE-2021-40438. This discovery exposes significant risks for organizations relying on outdated or unpatched software versions.
About the Vulnerability
CVE-2021-40438 is a Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server's mod_proxy module. This vulnerability can be exploited to redirect server requests to unintended destinations, potentially exposing sensitive data or allowing unauthorized access. Although Check Point addressed the issue in 2022, many systems remain vulnerable due to unpatched updates or reliance on end-of-life software.
Element Security researchers identified the RCE vulnerability during internal testing of a related flaw, CVE-2024-24919. By analyzing Check Point's software, they discovered that an outdated version of Apache left gateways susceptible to CVE-2021-40438.
Escalating SSRF to RCE
The potential impact of this vulnerability extends far beyond a typical SSRF attack. Leveraging CVE-2021-40438, Element Security researchers identified a method to achieve Remote Code Execution (RCE) by modifying the original SSRF payload to interact directly with UNIX sockets.
- Gateway Configuration Exposure: By interacting with the /tmp/xdumps UNIX socket, attackers could use a simple HTTP request to dump the gateway configuration, which includes sensitive information such as user accounts and password hashes.
- Remote Code Execution: Further research revealed the /tmp/xsets UNIX socket, which utilized a proprietary binary protocol. By analyzing its communication patterns, they reverse-engineered the protocol and discovered its ability to modify gateway configuration parameters. Leveraging this insight, the researchers crafted a payload to reset the admin password, leading to a full system compromise.
Critical Lessons and Implications
This research highlights the critical risks associated with unpatched software and insecure inter-process communication (IPC) mechanisms. Organizations that have not updated their systems remain highly vulnerable, exposing themselves to potential exploitation, data breaches, and severe operational disruptions.
Element Security's Commitment to Proactive Security
Element Security ensured its customers were the first to benefit from this discovery. Immediate testing and actionable mitigation advice were delivered through the Element Security platform, empowering clients to address the vulnerability proactively.
"At Element Security, we redefine how organizations defend against threats through active testing and validation," said Daniel Lublin, CEO of Element Security. "This discovery reflects our commitment to original research, delivering actionable insights to protect our customers."
Availability
Further details and an in-depth analysis of the research are available on Element Security's Research blog post.
About Element Security
Element Security is a pioneer in cybersecurity, delivering a cutting-edge CTEM platform designed to continuously monitor, validate, and enhance the security of external attack surfaces. By combining advanced automation, innovative research, and actionable threat insights, Element Security empowers organizations to proactively mitigate risks and safeguard their operations against evolving cyber threats.
Media Contact
Omer Cohen, Element Security, 972 525607773, [email protected], https://element.security
SOURCE Element Security
Share this article