CVE-2024-24919: Check Point Security Gateways Zero-Day Vulnerability

HawkEye XDR and MDR

Check Point revealed an arbitrary file read vulnerability impacting Check Point Security Gateways on May 28th, 2024. With a CVSS score of 8.6 (High), CVE-2024-24919 gives attackers root capabilities over susceptible goods, enabling them to view sensitive files. A vulnerability known as CVE-2024-24919 allows adversaries to execute code remotely without authorization if the certificate authentication is not enabled. 

Since April 30, exploits for CVE-2024-24919 have been reported. The main method used by attackers to enable lateral network movement is the stealing of Active Directory credentials.

These events mostly took advantage of situations in which outdated local accounts used password-only authentication, which is not advised because of its vulnerability to these kinds of attacks.

CVE-2024-24919

An arbitrary file read vulnerability (CWE-200) CVE-2024-24919 gives attackers path traversal access to and reading capability over confidential files. An arbitrary file read vulnerability by itself would rate quite severe. But the severity is increased by CVE-2024-24919, which gives attackers access to files with root privileges. Adversaries are able to access important files like “passwd” and “shadow” and obtain user credentials. An attacker can execute code remotely by using the credentials they have obtained, provided that multi-factor authentication is enabled.

 

POST /clients/MyCRL

Host: <vulnerable_CheckPoint_Security_Gateway>

Content-Length: 39 

aCSHELL/../../../../../../etc/passwd

 

This PoC exploit demonstrates how attackers could abuse a directory traversal flaw through an HTTP POST request and access sensitive files like /etc/passwd.

The ‘ntds.dit’ file from Active Directory servers may be accessed, and password hashes for local accounts can be extracted, according to the exploitation techniques for CVE-2024-24919. Logs of successful administrative panel or SSH logins are recorded in system logs such /var/log/messages, /var/log/audit/audit.log, and /var/log/auth, which may point to an exploit.

Affected Products

 

Product Affected Version
Quantum Security Gateway and CloudGuard Network Security Versions 
  • R81.20 
  • R81.10 
  • R81 
  • R80.40 
Quantum Maestro and Quantum Scalable Chassis 
  • R81.20 
  • R81.10 
  • R80.40 
  • R80.30SP 
  • R80.20SP 
Quantum Spark Gateways Version 
  • R81.10.x 
  • R80.20.x 
  • R77.20.x 

Active Exploitation

Several threat actors have been seen actively taking use of this vulnerability in the real world. May 30, 2024, saw the public release of a PoC.

According to Check Point, there have been efforts at exploitation dating back to April 7, 2024. The activity is mostly concentrated on “remote access scenarios with old local accounts with password-only authentication, which is not recommended.”

According to security company Mnemonic, from April 30, 2024, there have been attempts within client environments to obtain Active Directory credentials.

Recommendations

It is highly advised that you apply the relevant hotfix for your Quantum Gateway. To prevent any operational impact, kindly adhere to your organization’s patching and testing policies.
Product Hotfix
Quantum Security Gateway and CloudGuard Network Security Versions
  • R81.20 Jumbo Hotfix Accumulator Take 54
  • R81.20 Jumbo Hotfix Accumulator Take 41
  • R81.20 Jumbo Hotfix Accumulator Take 53
  • R81.20 Jumbo Hotfix Accumulator Take 26
  • R81.10 Jumbo Hotfix Accumulator Take 141
  • R81.10 Jumbo Hotfix Accumulator Take 139
  • R81.10 Jumbo Hotfix Accumulator Take 130
  • R81.10 Jumbo Hotfix Accumulator Take 110
  • R81 Jumbo Hotfix Accumulator Take 92
  • R80.40 Jumbo Hotfix Accumulator Take 211
  • R80.40 Jumbo Hotfix Accumulator Take 206
  • R80.40 Jumbo Hotfix Accumulator Take 198
  • R80.40 Jumbo Hotfix Accumulator Take 197
Quantum Maestro and Quantum Scalable Chassis
  • R80.30SP Jumbo Hotfix Accumulator Take 97
  • R80.20SP Jumbo Hotfix Accumulator Take 336
Quantum Spark Gateways Version
  • R81.10.10 Quantum Spark Appliances
  • R81.10.08 Quantum Spark Appliances
  • R80.20.60 Quantum Spark Appliances
  • R77.20.87 Quantum Spark Appliances
  • R77.20.81 Quantum Spark Appliances
Check Point advises hardening Gateways with extra security measures. This covers things like:
  • Changing the password of the Security Gateway’s account in Active Directory
  • Identifying local accounts with password only authentication
  • Preventing local accounts from connecting to VPN with password authentication

Detection of Exploitation

Several threat actors have been seen actively taking use of this vulnerability in the real world. May 30, 2024, saw the public release of a PoC. According to Check Point, there have been efforts at exploitation dating back to April 7, 2024. The activity is mostly concentrated on “remote access scenarios with old local accounts with password-only authentication, which is not recommended.” According to security company Mnemonic, from April 30, 2024, there have been attempts within client environments to obtain Active Directory credentials. While no specific method for detecting arbitrary file read exploits was found, successful login attempts to the web administration panel and SSH will be logged in several locations. The table below details these Indicators of Compromise (IOCs).
Log File Message Description
/var/log/messages (Web) May 30 08:30:25 2024 gw-6f7361 httpd2: HTTP login from 192.168.181.1 as admin This line indicates a successful HTTP login to the web administration panel from the IP address 192.168.181.1 with the username “admin” on May 30th, 2024 at 8:30:25.
/var/log/auth (Web) May 30 08:30:31 2024 gw-6f7361 httpd2: HTTP login from 192.168.181.1 as admin Similar to the previous entry, this line signifies another successful login attempt to the web admin panel with the same details.
/var/log/audit/audit.log (Web) type=USER_AUTH msg=audit(1717085193.706:656): pid=65484 uid=99 auid=4294967295 ses=4294967295 subj=kernel msg=’op=PAM:authentication grantors=pam_dof_tally,cp_pam_tally,pam_unix acct=”admin” exe=”/usr/sbin/httpauth” hostname=192.168.181.1 addr=192.168.181.1 terminal=? res=success’ This is a more detailed log from the audit log related to the web admin panel login. It shows successful authentication via PAM for the user “admin” with local authentication.
/var/log/messages (SSH) May 30 08:34:24 2024 gw-6f7361 xpand[176227]: admin localhost t +volatile:clish:admin:66699 t This line indicates a successful SSH login by the user “admin” from the local machine (“localhost”).
/var/log/secure (SSH) May 30 08:30:31 2024 gw-6f7361 sshd[66690]: Accepted password for admin from 192.168.181.1 port 62487 ssh2 This log entry from SSH shows a successful password login for the user “admin” from the IP address 192.168.181.1.

References

https://support.checkpoint.com/results/sk/sk182336

Ready to get started?

Contact us to arrange a half day
Managed SOC and XDR workshop in Dubai

Ready to get started?

Contact us to arrange a half day Managed SOC and XDR workshop in Dubai

© 2024 HawkEye – Managed CSOC and XDR powered by DTS Solution. All Rights Reserved.
This is a staging environment