Skip to main content

Active exploitation of Check Point security gateway devices

Threat ID:CC-4504
Threat Severity:High
Published:30 May 2024 3:15 PM

Summary

Active exploitation of Check Point security gateway devices

Affected platforms

 

The following platforms are known to be affected:

Versions: R80.20.x, R81, R81.10, R81.10.x, R81.20

Check Point Quantum

Summary

Active exploitation of Check Point security gateway devices

Affected platforms

The following platforms are known to be affected:

Versions: R80.20.x, R81, R81.10, R81.10.x, R81.20
Check Point Quantum
  • Quantum Maestro
  • Quantum Scalable Chassis
  • Quantum Security Gateways
  • Quantum Spark Appliances
Versions: R80.20.x, R81, R81.10, R81.10.x, R81.20
Check Point CloudGuard

Threat details

End-of-life versions also affected

The following versions are affected but are considered end-of-life (EOL) by Check Point:

  • R77.20 (EOL)
  • R77.30 (EOL)
  • R80.10 (EOL)
  • R80.20 (EOL)
  • R80.20SP (EOL)
  • R80.30 (EOL)
  • R80.30SP (EOL)
  • R80.40 (EOL)

Introduction

Check Point has released security advisories relating to ongoing exploitation attempts against devices in the Quantum and CloudGuard family of products. 

Quantum security gateways and firewalls perform advanced threat prevention, policy management, remote access VPN, IoT security, SD-WAN, and other services. CloudGuard is a SaaS platform that provides unified, cloud-native security across applications, workloads, and networks.

CVE-2024-24919 is an actively exploited zero-day vulnerability with a CVSSv3 score of 8.6 that can allow a remote, unauthenticated attacker to access arbitrary files on an affected device, leading to possible exfiltration of local user credentials resulting in persistent access and lateral movement into target networks.

This vulnerability affects any Check Point Security Gateway device that has either:

  • IPsec VPN blade enabled when included in the Remote Access VPN community
  • Mobile Access Software Blade enabled

Active exploitation of CVE-2024-24919

The exploitation attempts Check Point has seen focus on installations that have remote access on older local accounts with (unrecommended) password-only authentication. Password hashes of legacy local users can be extracted, including service accounts used to connect to Active Directory. Weak passwords can be compromised, leading to further misuse and potential lateral movement within the network.

Check Point and other security organisations have warned of attacks leading to lateral movement into target networks, resulting in exfiltration of "NTDS.dit" files within hours of initial access.

Reports warn of exploitation attempts as early as 7 April 2024.

Threat updates

   
4 Jun 2024 Date of first observed exploitation amended to 7 April 2024

The cyber alert has been updated to reflect this change
4 Jun 2024 "FAQ for CVE-2024-24919" merged into "Preventative Hotfix for CVE-2024-24919 - Quantum Gateway Information Disclosure"

The cyber alert now refers only to sk182336, where all information regarding these vulnerabilities can be found
3 Jun 2024 Vulnerability checker script published and Important Extra Measures updated:
  • Regenerate the SSH local user certificate on the Security Gateway
  • Renew the certificate for the SSH Inspection

Remediation advice

Affected organisations must review the following advisories, apply the relevant hotfixes, and apply additional measures outlined by Check Point.

  • Preventative Hotfix for CVE-2024-24919 - Quantum Gateway Information Disclosure 
    • Install a mandatory Security Gateway Hotfix to prevent exploitation of CVE-2024-24919
      • Organisations running end-of-life versions are required to update to a supported version and apply the hotfix
    • Additionally, organisations must implement the following "Important Extra Measures" detailed by Check Point
      • Change the password of the LDAP Account Unit
      • Reset password of local accounts connecting to VPN with password authentication
      • Prevent Local Accounts from connecting to VPN with password authentication
      • Renew Security Gateway's Outbound SSL Inspection CA certificate 
      • Renew Security Gateway's Inbound SSL Inspection server certificates
      • Reset all Gaia OS admin, local users and Expert mode passwords
      • Regenerate the SSH local user certificate on the Security Gateway in the case that vulnerable users have SSH configured to allow all source IP addresses
      • Renew the certificate for the SSH Inspection
  • Script to check Security Gateways for CVE-2024-24919
    • Download and run the above script to scan for vulnerable Security Gateways and Cluster Members

  • Important Security Update – Stay Protected Against VPN Information Disclosure (CVE-2024-24919)

Definitive source of threat updates

CVE Vulnerabilities

StatusPublished
CVE-2024-24919Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available.

Last edited: 4 June 2024 1:28 pm

Back to top