NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge
NopSec_Resource_JustInTime_Generic_1

Just in Time Bulletin: CVE-2024-24919 Check Point Security Gateway Information Disclosure

Jun 03, 2024

On May 28, 2024, Check Point published an advisory for CVE-2024-24919, a high-severity information disclosure vulnerability affecting Check Point Security Gateway devices configured with either the “IPSec VPN” or “Mobile Access” software blade.

What is CVE-2024-24919?

CVE-2024-24919 documents a vulnerability potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access software blades. A security fix that mitigates this vulnerability is available in the xz package. 

On May 29, 2024, security firm mnemonic published a blog reporting that they have observed in-the-wild exploitation of CVE-2024-24919 since April 7th, 2024. Threat actors have been leveraging the vulnerability to enumerate and extract password hashes for all local accounts, including accounts used to connect to Active Directory. They’ve also observed adversaries moving laterally and extracting the “ntds.dit” file from compromised customers’ Active Directory servers, within hours of an initial attack against a vulnerable Check Point Gateway.

On May 30, 2024, watchTowr published technical details of CVE-2024-24919 including a PoC.

On May 31, 2024, Check Point updated their advisory to state that further analysis has revealed that the first exploitation attempts actually began on April 7, 2024, and not April 30 as previously thought.

How bad is this?

The vulnerability allows an unauthenticated remote attacker to read the contents of an arbitrary file located on the affected appliance. For example, this allows an attacker to read the appliances /etc/shadow file, disclosing the password hashes for local accounts. The attacker is not limited to reading this file and may read other files that contain sensitive information. An attacker may be able to crack the password hashes for these local accounts, and if the Security Gateway allows password only authentication, the attacker may use the cracked passwords to authenticate.

CVE CWE CVSSv3 CVSSv2 EPSS
CVE-2024-24919 CWE-200 Exposure of Sensitive Information to an Unauthorized Actor 8.6 High 5 Medium 0.019 Low

Due to the fact that the vulnerability is in active exploitation in the wild since April 7th 2024 and it has been in the CISA KEV list – https://www.cisa.gov/known-exploited-vulnerabilities-catalog – on 04/30/2024, NopSec recommends to apply the vendor security patch to fix the vulnerability.

Severity: Critical

How is it exploited?

This is a ‘high’ priority bug, which (according to the CVE itself) falls under the category of Exposure of Sensitive Information to an Unauthorized Actor. Check Point advise that the bug is under active exploitation, and gives the following summary (among other advice):

“The vulnerability potentially allows an attacker to read certain information on Gateways once connected to the Internet and enabled with Remote Access VPN or Mobile Access.”

The vulnerability allows a threat actor to enumerate and extract password hashes for all local accounts, including the account used to connect to Active Directory. The full extent of the consequences is still unknown. However, it is known that password hashes of legacy local users with password-only authentication can be extracted, including service accounts used to connect to Active Directory. Weak passwords can be compromised, leading to further misuse and potential lateral movement within the network. It is now proven that the vulnerability allows a threat actor to retrieve all files on the local filesystem. This includes password hashes for all local accounts, SSH keys, certificates and other critical files. Threat actors can gain full shell access on vulnerable systems with relative ease.

Check Point Software Technologies has observed attempts to exploit this vulnerability.

Check Point Software Technologies has several observations of this exploit being used in the wild and is currently investigating activity related to the use of this vulnerability. The vulnerability is particularly critical because it does not require any user interaction or privileges, making it easy to exploit remotely.

We have observed threat actors extracting ntds.dit from compromised customers within 2-3 hours after logging in with a local user. CVE-2024-24919 was in that case used to extract user information which the threat actor then used to move laterally in the network.

Update 05/31/2024: A POC to exploit the vulnerability is now publicly available.”

How do I protect myself?

Check Point has released hotfixes for Quantum Security Gateway, Quantum Maestro, Quantum Scalable Chassis, and Quantum Spark Appliances. We advise customers to refer to the Check Point advisory for the most current information on affected versions and hotfixes.

The vendor supplied hotfixes should be applied immediately. NopSec strongly recommends that Check Point Security Gateway customers examine their environments for signs of compromise and reset local account credentials in addition to applying vendor-provided fixes.

Check Point notes that exploit attempts their team has observed “focus on remote access scenarios with old local accounts with unrecommended password-only authentication.” The company recommends that customers check for local account usage, disable any unused local accounts, and add certificate-based authentication rather than password-only authentication. More information and recommendations on user and client authentication for remote access is available here.

Who is affected by this?

According to the vendor advisory, the following products are vulnerable to CVE-2024-24919:

  • CloudGuard Network
  • Quantum Maestro
  • Quantum Scalable Chassis
  • Quantum Security Gateways
  • Quantum Spark Appliances

Check Point has advised that a Security Gateway is vulnerable if one of the following configuration is applied:

  • If the “IPSec VPN” blade has been enabled and the Security Gateway device is part of the “Remote Access” VPN community
  • If the “Mobile Access” blade has been enabled

NopSec Thoughts?

NopSec thinks that this is a critical priority vulnerability since it is in the process of being exploited in the wild with an actively distributed public exploit. Effective patches are available from the vendor. However, the vulnerability creates a direct attack path from the Internet into potentially sensitive domain servers inside the organization, via the cracking of passwords included in the domain controller’s “ntds.dit” file.  This is a high risk of compromise scenario. The vulnerability in itself is a simple forceful browsing or directory traversal vulnerability that allows users to read root-privileged files containing sensitive information.

Additional Resources About CVE-2024-24919