On May 28, 2024, Check Point published an advisory for CVE-2024-24919, a high-severity information disclosure vulnerability affecting Check Point Security Gateway devices configured with either the “IPSec VPN” or “Mobile Access” software blade.

On May 29, 2024, security firm mnemonic published a blog reporting that they have observed in-the-wild exploitation of CVE-2024-24919 since April 30, 2024, with threat actors leveraging the vulnerability to enumerate and extract password hashes for all local accounts, including accounts used to connect to Active Directory. They’ve also observed adversaries moving laterally and extracting the “ntds.dit” file from compromised customers’ Active Directory servers, within hours of an initial attack against a vulnerable Check Point Gateway.

On May 30, 2024, watchTowr published technical details of CVE-2024-24919 including a PoC.

On May 31, 2024, Check Point updated their advisory to state that further analysis has revealed that the first exploitation attempts actually began on April 7, 2024, and not April 30 as previously thought.

The vulnerability allows an unauthenticated remote attacker to read the contents of an arbitrary file located on the affected appliance. For example, this allows an attacker to read the appliances /etc/shadow file, disclosing the password hashes for local accounts. The attacker is not limited to reading this file and may read other files that contain sensitive information. An attacker may be able to crack the password hashes for these local accounts, and if the Security Gateway allows password only authentication, the attacker may use the cracked passwords to authenticate.

Mitigation Guidance

According to the vendor advisory, the following products are vulnerable to CVE-2024-24919:

• CloudGuard Network
• Quantum Maestro
• Quantum Scalable Chassis
• Quantum Security Gateways
• Quantum Spark Appliances

Check Point has advised that a Security Gateway is vulnerable if one of the following configuration is applied:

• If the “IPSec VPN” blade has been enabled and the Security Gateway device is part of the “Remote Access” VPN community.
• If the “Mobile Access” blade has been enabled.

Check Point has released hotfixes for Quantum Security Gateway, Quantum Maestro, Quantum Scalable Chassis, and Quantum Spark Appliances. We advise customers to refer to the Check Point advisory for the most current information on affected versions and hotfixes.

Notably, the vendor advisory now calls out a non-default “CCCD” feature, stating “Customers who use CCCD must disable this functionality for the Hotfix to be effective.” All organizations should manually confirm that the CCCD feature is disabled on every patched Check Point device. Per the vendor advisory, the command vpn cccd status should be executed in “Expert Mode” on appliances to confirm that CCCD is disabled.

The vendor supplied hotfixes should be applied immediately. Rapid7 strongly recommends that Check Point Security Gateway customers examine their environments for signs of compromise and reset local account credentials in addition to applying vendor-provided fixes.

Check Point notes that exploit attempts their team has observed “focus on remote access scenarios with old local accounts with unrecommended password-only authentication.” The company recommends that customers check for local account usage, disable any unused local accounts, and add certificate-based authentication rather than password-only authentication. More information and recommendations on user and client authentication for remote access is available here.

IOCs

No reliable method of identifying arbitrary file read exploitation was identified. However, successful web administration panel and SSH logins will be logged in /var/log/messages, /var/log/audit/audit.log, and /var/log/auth.

Contents of /var/log/audit/audit.log after web administration panel login as the user ‘admin’ from ‘192.168.181.1’ with local PAM authentication:
type=USER_AUTH msg=audit(1717085193.706:656): pid=65484 uid=99 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:authentication grantors=pam_dof_tally,cp_pam_tally,pam_unix acct="admin" exe="/usr/sbin/httpauth" hostname=192.168.181.1 addr=192.168.181.1 terminal=? res=success'

Contents of /var/log/messages after web administration panel login as the user ‘admin’ from ‘192.168.181.1’ with local PAM authentication:
May 30 08:30:25 2024 gw-6f7361 httpd2: HTTP login from 192.168.181.1 as admin

Contents of /var/log/auth after web administration panel login as the user ‘admin’ from ‘192.168.181.1’ with local PAM authentication:
May 30 08:30:31 2024 gw-6f7361 httpd2: HTTP login from 192.168.181.1 as admin

Contents of /var/log/messages after SSH login as the user ‘admin’ from ‘192.168.181.1’ with local PAM authentication:
May 30 08:34:24 2024 gw-6f7361 xpand[176227]: admin localhost t +volatile:clish:admin:66699 t
May 30 08:34:24 2024 gw-6f7361 xpand[176227]: User admin logged in with ReadWrite permission

Contents of /var/log/secure after SSH login as the user ‘admin’ from ‘192.168.181.1’ with local PAM authentication:
May 30 08:30:31 2024 gw-6f7361 sshd[66690]: Accepted password for admin from 192.168.181.1 port 62487 ssh2

Rapid7 Customers

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2024-24919 with an unauthenticated vulnerability check shipping in today’s (Thursday, May 30) content release.

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7’s expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on post-exploitation behavior related to this vulnerability:

• Suspicious Web Server Request - Successful Path Traversal Attack
• Suspicious Web Request - Possible Check Point VPN (CVE-2024-24919) Exploitation

Updates

May 30, 2024: Added IOC section. CVE-2024-24919 has been added to the U.S. Cybersecurity and Infrastructure Agency’s (CISA) Known Exploited Vulnerabilities (KEV) list on May 30, 2024.

May 31, 2024: Added updated Check Point advisory that has revealed that the first exploitation attempts actually began on April 7, 2024, and not April 30 as previously thought.

June 3, 2024: Updated the Mitigation Section with new information from Check Point’s updated advisory on the CCCD feature that is disabled by default. It must be disabled for the Hotfix to be effective on some versions of the software.

Never Miss an Emerging Threat

Be the first to learn about the latest vulnerabilities and cybersecurity news.

Subscribe Now