On May 28th, 2024, Check Point discovered a flaw that had been actively exploited for nearly a month. CVE-2024-24919, which affects many Check Point products, is raising significant concerns. This flaw poses a serious risk of unauthorized information disclosure, potentially compromising sensitive data across various organizations, including federal agencies and large enterprises.
The vulnerability was added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog two days after its publication. NIST’s National Vulnerability Database (NVD) included it in its catalog the day of its publication.
The vulnerability: CVE-2024-24919
Although this zero-day vulnerability only received a high severity (8.6) CVSS v3 score, it might be worse than initially thought given that a successful exploitation can be done without authentication or user interaction. CVE-2024-24919 is an information disclosure vulnerability allowing potential attackers to read certain sensitive information on Check Point Security Gateways; oftentimes, attackers are focusing on collecting all local accounts’ password hashes and extracting them.
The affected Check Point products are:
- CloudGuard Network
- Quantum Maestro
- Quantum Scalable Chassis
- Quantum Security Gateways
- Quantum Spark Appliances
Not all configurations on the affected products are vulnerable. The flaw occurs when Check Point Security Gateway devices are configured with either the IPSec (Remote Access) VPN or the Mobile Access Software Blade is enabled.
The attacks
Check Point discovered attempts to exploit this vulnerability on May 24th, 2024. However, threat actors have actively exploited this vulnerability since April 30th – nearly an entire month before its official publication with an assigned CVE. Over this time, more than 51 IP addresses have been recognized in the attacks, and the number continues to grow. The exploitations were conducted via the old VPN local-accounts, which rely solely on the single-factor, password-only authentication method. Although the organization claims the number of login attempts was “small,” over a hundred thousand users, including banks, federal agencies, and large enterprises, could be publicly exposed.
WatchTowr, an organization managing a reverse-engineering of the hotfix, concluded that CVE-2024-24919 was rather simple to locate and, once found, very simple to exploit. The company believed Check Point was downplaying the severity of this flaw. Check Point determined the vulnerability to be an Information Disclosure, however, it is believed instead to be a path traversal resulting in an arbitrary file read as superuser. Many presume it should not be considered as anything less than a complete unauthenticated Remote Code Execution.
Current solutions
Together with the publication of the vulnerability, Check Point has released urgent security patches to prevent potential breaches. They have released the following guidelines to respond to these continuing attacks:
- Update Security Gateways: Check Point strongly recommends users install the latest hotfix on all Check Point Network Security gateways.
- Choose a Safer Authentication Method: To increase the safety of the account, Check Point recommends switching from a single-factor authentication to a multi-factor one or a certificate-based authentication.
- Obsolete Vulnerable/Unused Accounts: Limit access to the actively used and non-vulnerable local accounts to prevent unauthorized access.
- Review of the Logs: Regularly review system logs to identify suspicious activities or failed authentication attempts.
How can Skybox help?
Shortly after the discovery was made public, the Skybox Research Lab integrated the vulnerability into our threat intelligence feed. Its status in the feed was adjusted in accordance with the discovery that it was being exploited in the wild.
With all new CVEs, Skybox customers receive an updated and weighted risk score based on the vulnerabilities’ current statuses and subsequent modifications. This technique, combined with a variety of risk criteria, allows users to quickly and easily identify the assets and vulnerabilities that pose the most danger to their organization and decide on the most appropriate course of action for remediation.
In this instance, Skybox customers determine the significance of the impacted Check Point Network Security gateway products within the company network. The organization’s security team receives a customized risk score based on its importance and additional criteria, such as the standard CVSS score for CVE-2024-24919. Using this score, they can decide how best to secure the organization.
Skybox provides an analysis of possible risks and practical mitigation strategies. This includes suggesting counteracting security measures to reduce exposure risk on the client’s network, including altering firewall rules or implementing an IPS signature.
Learn how Skybox proactively protects you from vulnerabilities like the one affecting FortiOS and FortiProxy systems
