CWE-65
Windows Hard Link
Extended description
Failure for a system to check for hard links can result in vulnerability to different types of attacks. For example, an attacker can escalate their privileges if a file used by a privileged program is replaced with a hard link to a sensitive file (e.g. AUTOEXEC.BAT). When the process opens the file, the attacker can assume the privileges of that process, or prevent the program from accurately processing data.
Common consequences1
- ConfidentialityIntegrityRead Files or DirectoriesModify Files or Directories
Potential mitigations1
- Architecture and Design
Follow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
Relationships1
- ChildOfCWE-59
CVEs referencing this CWE6
| CVE | Description | Severity | EPSS | Flags | Modified |
|---|---|---|---|---|---|
| CVE-2022-23742 | Check Point Endpoint Security Client for Windows versions earlier than E86.40 copy files for forensics reports from a directory with low privileges. An attacker can replace those files with malicious or linked content, such as exploiting CVE-2020-0896 on unpatched systems or using symbolic links. | HIGH7.8 | 4.08%p89 | 2026-06-02 | |
| CVE-2020-6013 | ZoneAlarm Firewall and Antivirus products before version 15.8.109.18436 allow an attacker who already has access to the system to execute code at elevated privileges through a combination of file permission manipulation and exploitation of Windows CVE-2020-00896 on unpatched systems. | HIGH8.8 | 1.55%p72 | 2024-11-21 | |
| CVE-2019-8452 | A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security client for Windows before E80.96 to any file on the system will get its permission changed so that all users can access that linked file. Doing this on files with limited access gains the local attacker higher privileges to the file. | HIGH7.8 | 1.04%p59 | PoC | 2024-11-21 |
| CVE-2019-19231 | An insecure file access vulnerability exists in CA Client Automation 14.0, 14.1, 14.2, and 14.3 Agent for Windows that can allow a local attacker to gain escalated privileges. | HIGH7.8 | 0.62%p45 | PoC | 2024-11-21 |
| CVE-2019-8455 | A hard-link created from the log file of Check Point ZoneAlarm up to 15.4.062 to any file on the system will get its permission changed so that all users can access that linked file. Doing this on files with limited access gains the local attacker higher privileges to the file. | HIGH7.1 | 0.39%p31 | 2024-11-21 | |
| CVE-2019-8454 | A local attacker can create a hard-link between a file to which the Check Point Endpoint Security client for Windows before E80.96 writes and another BAT file, then by impersonating the WPAD server, the attacker can write BAT commands into that file that will later be run by the user or the system. | HIGH7.0 | 0.33%p24 | 2024-11-21 |