Amid warnings of threat actors targeting VPN devices, Check Point has identified a zero-day information disclosure vulnerability impacting Check Point Network Security gateways which has been exploited by malicious actors.
Update May 30: The Proof of concept section has been updated to reflect the availability of public proof-of-concept details.
Background
On May 27, Check Point released a blog post with recommendations on security best practices. According to the original post, Check Point has been monitoring exploitation attempts in the wake of several attacks involving compromised VPN solutions from multiple vendors. During this monitoring, Check Point noticed “a small number of login attempts” that were utilizing local accounts with password-only authentication enabled. Check Point began actively engaging with customers that may have been impacted and released their blog with recommendations on improving VPN security.
On May 28, Check Point updated their blog post with a CVE (CVE-2024-24919) and explanation that the recently observed exploitation attempts were attributed to a previously unknown vulnerability and that immediate action is required to protect from this vulnerability.
Analysis
CVE-2024-24919 is an information disclosure vulnerability that can allow an attacker to access certain information on internet-connected Gateways which have been configured with IPSec VPN, remote access VPN or mobile access software blade. According to the advisory, Check Point has observed in-the-wild exploitation of this vulnerability and so far this exploit activity has been focused on devices configured with local accounts using password-only authentication.
Password-only authentication is not recommended as brute-force attacks could allow attackers to compromise accounts with weak passwords. According to Check Point, these local accounts should not be used when possible and protected by additional layers of authentication if they are in use. A hotfix has been made available to address this vulnerability.
According to Check Point, CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways and Quantum Spark Appliances are impacted.
Proof of concept
On May 30, a public proof-of-concept (PoC) was published by security researchers.
Solution
As part of their May 28 update, Check Point released Solution ID sk182336 with information on how to apply the hotfix and what device versions are impacted. In addition, the article provides additional security recommendations and best practices including steps on verifying that the hotfix has been properly applied. The following tables reflect the hotfixes currently available:
Quantum Security Gateway R80.40, R81, R81.10 and R81.20
Quantum Maestro and Quantum Scalable Chassis R80.20SP and R80.30SP
Hotfix Version | Download Link |
---|---|
R80.30SP Jumbo Hotfix Accumulator Take 97 | https://support.checkpoint.com/results/download/132974 |
R80.20SP Jumbo Hotfix Accumulator Take 336 | https://support.checkpoint.com/results/download/132972 |
Quantum Spark Appliances R77.20.81, R77.20.87, R80.20.60, R81.10.08 and R81.10.10
Hotfix Version | Download Link |
---|---|
R81.10.10 Quantum Spark Appliances | Refer to Solution ID sk181080 |
R81.10.08 Quantum Spark Appliances | Refer to Solution ID sk181079 |
R80.20.60 Quantum Spark Appliances | Refer to Solution ID sk179922 |
R77.20.87 Quantum Spark Appliances | Refer to Solution ID sk151574 |
R77.20.81 Quantum Spark Appliances | Refer to Solution ID sk137212 |
We recommend reviewing the advisory for updates on the hotfixes and recommended actions as the guidance may be frequently updated by Check Point.
Identifying affected systems
A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2024-24919 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.
Get more information
- Check Point blog: Important Security Update – Stay Protected Against VPN Information Disclosure (CVE-2024-24919)
- Check Point Hotfix: Preventative Hotfix for CVE-2024-24919 - Quantum Gateway Information Disclosure (Solution ID: sk182336)
- Check Point Support: How to install a Hotfix
Change Log
Update May 30: The Proof of concept section has been updated to reflect the availability of public proof-of-concept details.
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.