Check Point UserCheck Web Portal DLP Incident Management Disruption Vulnerability

A vulnerability has been identified in the UserCheck Web Portal of Check Point Security Gateways, specifically in the UserChoice flow, when Data Loss Prevention (DLP) is active. This issue allows an attacker with access to the UserCheck Ask page to manipulate the Security Gateway's DLP/UserCheck incident data. Potential consequences include the loss of incident records, improper management of pending approvals, and resource strain if the vulnerability is exploited repeatedly. The risk is lower if the UserCheck Portal is not reachable from untrusted networks.

Impact

Exploitation of this vulnerability can disrupt the management of DLP/UserCheck incidents, leading to lost incident entries, mismanaged approvals, and potential resource impacts from repeated abuse.

Remediation

To address this vulnerability, ensure that the UserCheck Portal is only accessible through internal interfaces. This can be configured in SmartConsole under the UserCheck Accessibility settings for each Security Gateway or cluster object. The vulnerability can also be fixed by applying the appropriate Jumbo Hotfix Accumulator for the gateway version.