Support Center > Alerts > SecureKnowledge Details
Mobile Access Portal Agent before Build 800007042 runs Arbitrary Applications Technical Level
Symptoms
  • When environment variables are used in configuration CVE-2021-30358, before build 800007042, Mobile Access Portal Agent arbitrary applications from a specially crafted location instead of the predefined Native Application.

Cause

Mobile Access Portal Agent runs predefined Native Applications. If administrator configured such application with environment variables in the path, Portal Agent may run an arbitrary application that was placed in a specially created location.


Solution

Users should install a hotfix to upgrade Portal Agent to a non-vulnerable version.


Automatic Installation

If automatic updates are enabled (see sk94508), the update is installed automatically on all relevant Check Point Mobile Access Gateways.
Note: Automatic update is distributed gradually. If your Security gateway did not receive the update yet, install it manually following the instructions below.


Manual Installation

  1. Make sure your Mobile Access Gateway meets these requirements:

    • The version of the Mobile Access Portal Agent is lower than 800007042.

      You can check the Mobile Access Portal Agent version in one of these ways:

      • Run this command in the Expert mode on the Mobile Access Gateway:

        cat $CVPNDIR/htdocs/SNX/CSHELL/cshell_ver.txt

      • Open the applicable file in the Mobile Access Portal:

        https://<IP Address of Mobile Access Gateway>/<Prefix of Mobile Access Portal>/SNX/CSHELL/cshell_ver.txt

      Example output: 80,0,0070,40

    • The latest Take of AutoUpdater (see sk165653) is installed on the Mobile Access Gateway.

      Note: This package cannot be installed on Scalable Platforms (Maestro and Chassis).

  2. Download the hotfix package to your computer:

    Hotfix Package Link
    Check_Point_ESOD_CSHELL_AUTOUPDATE_Bundle_T17_AutoUpdate.tar TAR
  3. Transfer the hotfix package to the Mobile Access Gateway to some directory.

  4. Connect to the command line on the Mobile Access Gateway.

  5. Log in to the Expert mode.

  6. Install the package with this command:

    autoupdatercli install /<path>/<package>

Note - The installation does not require cpstop, cpstart, or reboot. Once installed, no further action is required, and the update is immediately applied.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment