NEWS

Check Point Vulnerability: CVE-2024-24919

On May 28, 2024, Check Point released an advisory for CVE-2024-24919, a high priority bug which according to NIST NVD is categorized as “Exposure of Sensitive Information to an Unauthorized Actor”. The NVD has yet to assess a CVSS score for CVE-2024-24919 as of this writing. This vulnerability affects Check Point Security Gateway devices connected to the internet and configured with either IP-Sec VPN or Mobile Access software blades. When exploited, this vulnerability provides the attacker the ability to enumerate and extract password hashes for local accounts, including Active Directory service accounts, which can lead to lateral movement and complete compromise of targeted networks under the right conditions.

Check Point stated on May 31, 2024, that exploitation attempts have been ongoing since April 7, 2024. They have also observed attackers extracting the ntds.dit file from the Active Directory servers belonging to compromised organizations. The ntds.dit file is a database file that stores active directory data including users, groups, security descriptors and password hashes.

Vulnerable Systems and Circumstances:

According to the vendor advisory, the following products are vulnerable to CVE-2024-24919:

CloudGuard Network
Quantum Maestro
Quantum Scalable Chassis
Quantum Security Gateways
Quantum Spark Appliances

Check Point has advised that a Security Gateway is vulnerable if one of the following configurations is applied:

If the IPSec VPN blade has been enabled and the Security Gateway device is part of the Remote Access VPN community.

If the Mobile Access blade has been enabled.

There are manufacturer provided hotfixes available as outlined in the vendor advisory. Check Point advises that these hotfixes be applied immediately, and environments be evaluated to ensure that other circumstances regarding network security practices do not add to the vulnerability of systems. For example, systems that rely on password-only authentication should switch to certificate-based authentication where possible.

Important extra measures to take:

Change the password of the LDAP Account Unit
Reset password of local accounts connecting to Remote Access VPN with password-only authentication
Prevent Local Accounts from connecting to VPN with Password-Only Authentication
Renew the server certificates for the Inbound HTTPS Inspection on the Security Gateway
Renew the certificate for the Outbound HTTPS Inspection on the Security Gateway
Reset Gaia OS passwords for all local users
Regenerate the SSH local user certificate on the Security Gateway in the following case:
Renew the certificate for the SSH Inspection”

Centripetal’s CleanINTERNET® can assist in detecting unauthorized connection attempts and successful logins provided the Check Point products are seated behind a RuleGate device. This, along with actions recommended by the vendor, can avoid a full compromise of network infrastructure due to CVE-2024-24919.

If you are unsure if your devices are vulnerable, you can run the following command directed at your Check Point Firewall IP to find out:

curl -d “aCSHELL/../../../../../../../etc/passwd” -k -X POST https://<YOUR CHECKPOINT FIREWALL IP HERE>/clients/MyCRL

If you are currently running one of the affected products, please contact support@centripetal.ai.

Centripetal is pleased to offer Penetration Testing and Vulnerability Assessment services to help organizations identify vulnerabilities and reduce risk. If interested, please contact our Professional Services team at profservs@centripetal.ai or reach out to your Centripetal Account Representative.

Resources:

Tags

NEWS

Check Point Vulnerability: CVE-2024-24919

SIGN UP TO OUR NEWSLETTER

Experience how CleanINTERNET® can proactively protect your organization.