Executive summary:
Check Point keeps updating their advisory regarding CVE-2024-24919, recommending now that passwords (LDAP Account Unit, local users including Gaia OS, etc.) and SSL certificates used for HTTPS inspection or even SSH keys be reset if the instance was vulnerable. Furthermore, they did increase the CVSS base score to 8.6, with a change affecting the "Scope" of the vulnerability.
They also mentioned that specific configurations where CCCD is running (a plugin introduced after version R81.10) are still vulnerable even after applying the hotfix. Fortunately, this setting is disabled by default, so many instances probably aren't configured with it. For those that are though, the only solution is to urgently disable it, and investigate this instance for signs of compromise attempts.
On the opposite, another feature called AutoUpdate will help prevent exploitation (but doesn't apply the hotfix). Security Gateways that were configured to run this process are gradually receiving an update, but only after June 2, 2024, which is most probably already too late.
As we mentioned in your previous update from a private source, the 0-day was already leveraged almost 2 months before the public release of the advisory. You should thus hunt for suspicious behavior before April 30, but at least back to April 7, as now confirmed by Check Point.
What it means:
CISA added this 0-day to its Known Exploited Vulnerabilities catalog, giving up to June 20 to federal agencies to patch. We are surprised of this deadline, considering actual reconnaissance and exploitation attempts are happening by multiple different threat actors since a few days already.
Those exposing a vulnerable instance that have not taken any steps yet should assume to be compromised by now.
As already said, the exploitation is trivial, as a simple one-line curl request such as:
"curl -k -v --path-as-is -X POST -d 'aCSHELL/../../../../../../../etc/passwd' https: // $IP/clients/MyCRL"
can retrieve the sensitive files stored in /etc/passwd. But other private information such as SSH keys can be at risks as well, in etc/ssh/ folder, or /etc/shadow. Multiple variants of this exploit code are circulating online, including for Nuclei scanner here.
Qualys published an unauthenticated check numbered QID=731568, trying to the see if the above issue can be triggered:
"This QID checks for vulnerable Check Point targets by sending a crafted payload that tries to read the '/etc/passwd' and '/etc/shadow' file."
The initial statistics shared by LeakX, that estimated that 2,000+ instances to be vulnerable (out of the 40,000+ ones currently exposing Check Point products online) were wrong, and updated here. 8,500 vulnerable instances were found. Other passive scanners such as Censys came with a different figure over the weekend, with 14,000 instances identified (but possibly including the vulnerable and fixed ones).
The threat level remains nevertheless at 4 out of 5 for now.
What you should do:
If a confirmed compromised is suspected, Check Point recommends that the instance be rebuilt from scratch.
If you're not able to apply the IPS signature provided by Check Point, you may rely on one EmergingThreats' rule available for your IDS solutions:
2053031 - ET WEB_SPECIFIC_APPS Checkpoint Quantum Security Gateway Arbitrary File Read Attempt (CVE-2024-24919) (web_specific_apps.rules)
If you hunt for suspicious behaviors in your logs, Rapid7 has provided advices in patterns to look for in a blog post here.
Critical Check Point 0-day worse than initially thought, exploited since April
Following the release of Check Point's advisory on the CVE-2024-24919 0-day vulnerability, some security companies released further intelligence about this flaw. First, Mnemonic stated that they detected exploitation attempts against their customers' environments as early as April 30 (compared to May 24 initially mentioned by Check Point).
Vulnerability researchers confirm that the vulnerability is critical as it is easy to exploit remotely since it doesn't require user interaction or any privileges on attacked Check Point security gateways with Remote Access VPN and Mobile Access enabled.
Exploiting CVE-2024-24919 allegedly enables threat actors to enumerate and extract password hashes for all local accounts, and in particular the account used to connect to Active Directory. Mnemonic saw threat actors extracting "ntds.dit", a database that stores Active Directory data on users, groups, security descriptors, and password hashes, from compromised customers within 2-3 hours. It is also believed that the attackers exploited the flaw to collect information allowing them to move laterally within the victim's network and misuse Visual Studio Code to tunnel malicious traffic. WatchTowr published a technical analysis of the vulnerability indicating that the vendor was downplaying the severity of CVE-2024-24919. Indeed, they compared a vulnerable and patched system to identify the flaw and managed to do so in less than two days. They discovered that it was in fact a path traversal leading to an arbitrary file read, which could allow a threat actor to access specific information on compromised gateways, potentially enabling them to retrieve password hashes and other sensitive data.
As a consequence of these findings, we have decided to raise the threat level of this advisory to 4 out of 5. Indeed, the attack surface is huge, with dozens of thousands of instances of Check Point currently exposed on the Internet, with a yet unknown number still vulnerable.
However, the recommendation remains the same, and organizations running the affected instance should:
If you suspect your instance to be compromised, you may reach out to our CSIRT teams, on top of warning Check Point's support, that will guide you in what to look for in your investigations.
For Orange Cyberdefense customers, our teams are currently assessing if this vulnerability is impacting your IT infrastructure, and will advise if any further actions are required.
Executive summary
On May 27, Check Point announced a vulnerability tracked as CVE-2024 with a CVSS 3.1 score of 7.5, within its Check Point Security Gateways that have Remote Access VPN or Mobile Access features enabled and affecting versions R80 and R81. This vulnerability allows an attacker to read certain information on gateways.
Check Point announced that it detected an exploitation of this vulnerability in the wild, it is thus strongly recommended to apply the patch provided by the vendor.
What you will hear
Check Point VPN vulnerability is exploited in the wild.
What it means
Remote Access is integrated into all Check Point network firewalls. It can be configured as a client-to-site VPN for access to corporate networks via VPN clients or set up as an SSL VPN Portal for web-based access. Product affected by this flaw include: CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways and Quantum Spark Appliances on versions R80 and R81.
On May 24, Check Point discovered malicious login attempts on VPN clients with remote access on old local accounts with unrecommended password and where 2FA is not available. An incident response team has been created to determine the cause of this flaw.
Following the creation of this task force, Check Point released a security advisory for this vulnerability, now tracked as CVE-2024-24919, on May 27. This vulnerability resides in all internet-connected gateway clients with Remote Access VPN or mobile access enabled.
Attacks against VPNs are common and should be taken seriously, as we saw in 2024 with the Ivanti Secure VPN crisis and the FortiOS SSL-VPN vulnerability.
We classify this advisory’s threat level as 3 out of 5.
What you should do
It is strongly recommended that you apply this patch given by Check Point to avoid any compromise on your endpoints. You can also run a script provided by Check Point to know if your environment includes local accounts with password authentication.
To minimize the risk of exploitation, we also recommend that you enable 2FA.