Since April 30, exploits for CVE-2024-24919 have been reported, allowing adversaries to execute code remotely without authorization.
Background:
Check Point revealed an arbitrary file read vulnerability impacting Check Point Security Gateways on May 28th, 2024. With a CVSS score of 8.6 (High), CVE-2024-24919 gives attackers root capabilities over susceptible goods, enabling them to view sensitive files. A vulnerability known as CVE-2024-24919 allows adversaries to execute code remotely without authorization if the certificate authentication is not enabled.
Since April 30, exploits for CVE-2024-24919 have been reported. The main method used by attackers to enable lateral network movement is the stealing of Active Directory credentials.
These events mostly took advantage of situations in which outdated local accounts used password-only authentication, which is not advised because of its vulnerability to these kinds of attacks.
CVE-2024-24919:
An arbitrary file read vulnerability (CWE-200) CVE-2024-24919 gives attackers path traversal access to and reading capability over confidential files. An arbitrary file read vulnerability by itself would rate quite severe. But the severity is increased by CVE-2024-24919, which gives attackers access to files with root privileges. Adversaries are able to access important files like “passwd” and “shadow” and obtain user credentials. An attacker can execute code remotely by using the credentials they have obtained, provided that multi-factor authentication is enabled.
POST /clients/MyCRL
Host: <vulnerable_CheckPoint_Security_Gateway>
Content-Length: 39
aCSHELL/../../../../../../etc/passwd
This PoC exploit demonstrates how attackers could abuse a directory traversal flaw through an HTTP POST request and access sensitive files like /etc/passwd.
The ‘ntds.dit’ file from Active Directory servers may be accessed, and password hashes for local accounts can be extracted, according to the exploitation techniques for CVE-2024-24919. Logs of successful administrative panel or SSH logins are recorded in system logs such /var/log/messages, /var/log/audit/audit.log, and /var/log/auth, which may point to an exploit.
Affected products:
| Product | Affected Version |
| Quantum Security Gateway and CloudGuard Network Security Versions |
|
| Quantum Maestro and Quantum Scalable Chassis |
|
| Quantum Spark Gateways Version |
|
Active exploitation:
Several threat actors have been seen actively taking use of this vulnerability in the real world. May 30, 2024, saw the public release of a PoC.
According to Check Point, there have been efforts at exploitation dating back to April 7, 2024. The activity is mostly concentrated on “remote access scenarios with old local accounts with password-only authentication, which is not recommended.”
According to security company Mnemonic, from April 30, 2024, there have been attempts within client environments to obtain Active Directory credentials.
Recommendations:
It is highly advised that you apply the relevant hotfix for your Quantum Gateway. To prevent any operational impact, kindly adhere to your organization’s patching and testing policies.
| Product | Hotfix |
| Quantum Security Gateway and CloudGuard Network Security Versions |
|
| Quantum Maestro and Quantum Scalable Chassis |
|
| Quantum Spark Gateways Version |
|
Check Point advises hardening Gateways with extra security measures. This covers things like:
- Changing the password of the Security Gateway’s account in Active Directory
- Identifying local accounts with password only authentication
- Preventing local accounts from connecting to VPN with password authentication
Detection of Exploitation:
While no specific method for detecting arbitrary file read exploits was found, successful login attempts to the web administration panel and SSH will be logged in several locations. The table below details these Indicators of Compromise (IOCs).
| Log File | Message | Description |
| /var/log/messages (Web) | May 30 08:30:25 2024 gw-6f7361 httpd2: HTTP login from 192.168.181.1 as admin | This line indicates a successful HTTP login to the web administration panel from the IP address 192.168.181.1 with the username “admin” on May 30th, 2024 at 8:30:25. |
| /var/log/auth (Web) | May 30 08:30:31 2024 gw-6f7361 httpd2: HTTP login from 192.168.181.1 as admin | Similar to the previous entry, this line signifies another successful login attempt to the web admin panel with the same details. |
| /var/log/audit/audit.log (Web) | type=USER_AUTH msg=audit(1717085193.706:656): pid=65484 uid=99 auid=4294967295 ses=4294967295 subj=kernel msg=’op=PAM:authentication grantors=pam_dof_tally,cp_pam_tally,pam_unix acct=”admin” exe=”/usr/sbin/httpauth” hostname=192.168.181.1 addr=192.168.181.1 terminal=? res=success’ | This is a more detailed log from the audit log related to the web admin panel login. It shows successful authentication via PAM for the user “admin” with local authentication. |
| /var/log/messages (SSH) | May 30 08:34:24 2024 gw-6f7361 xpand[176227]: admin localhost t +volatile:clish:admin:66699 t | This line indicates a successful SSH login by the user “admin” from the local machine (“localhost”). |
| /var/log/secure (SSH) | May 30 08:30:31 2024 gw-6f7361 sshd[66690]: Accepted password for admin from 192.168.181.1 port 62487 ssh2 | This log entry from SSH shows a successful password login for the user “admin” from the IP address 192.168.181.1. |
References:
https://support.checkpoint.com/results/sk/sk182336