Check Point Security Gateways Information Disclosure Vulnerability Exploited in the Wild (CVE-2024-24919)

Check Point warned its customers of a vulnerability impacting its Network Security gateway products. The vulnerability, tracked as CVE-2024-24919, is being exploited in the wild. Successful exploitation of the vulnerability may allow an attacker to read specific information on Internet-connected Gateways with remote access VPN or mobile access enabled.

CISA acknowledged the active exploitation of CVE-2024-24919 by adding it to its Known Exploited Vulnerabilities Catalog and requesting users patch the flaw before June 20, 2024.

Checkpoint security gateway is an integrated software solution that connects corporate networks, branch offices, and business partners via a secure channel.

The vulnerability came into the limelight after the vendor warned of attacks targeting its VPN devices to infiltrate enterprise networks. In an FAQ, the vendor informed that the exploitation attempts observed so far focused on remote access to old local accounts with unrecommended password-only authentication against a small number of customers.

A quick search revealed around 45,000 targets on Fofa and around 20,000 targets on Shodan at the time of writing.

 

Image Source: Shodan 

Image Source: Fofa

Vulnerability Details

The vulnerability is a path traversal flaw in the /clients/MyCRL endpoint designed to serve static files from the filesystem. A user could pass the path traversal payload as an HTTP POST request to the vulnerable target to read any file on the vulnerable target.

The vulnerability arises due to a flaw in implementing the strstr function. When a URL is passed, the code compares the URL with a specific list of file/directory names before processing. An attacker could pass a valid directory name from this list, followed by the path traversal payload to make the vulnerable server serve any file on the filesystem.

Successful exploitation of the vulnerability could allow a remote, unauthenticated attacker to read sensitive files if connected to the Internet and enabled with a Remote Access VPN or Mobile Access.

The Qualys Threat Research Unit was able to reproduce and verify the vulnerability.

Image Source: Qualys Threat Research Unit (TRU)

Affected Versions

Security Gateways of all versions with the IPsec VPN, Remote Access, or Mobile Access software blades are affected by this vulnerability.

Mitigation

The vendor has released a Hotfix for the following Gateway versions:

  • Quantum Security Gateway and CloudGuard Network Security: R81.20, R81.10, R81, R80.40
  • Quantum Maestro and Quantum Scalable Chassis: R81.20, R81.10, R80.40, R80.30SP, R80.20SP
  • Quantum Spark Gateways: R81.10.x, R80.20.x, R77.20.x

For more information, please refer to the Check Point Security Advisory (sk182336).

Qualys Detection

Qualys customers can scan their devices with QID 731568 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://support.checkpoint.com/results/sk/sk182336
https://blog.checkpoint.com/security/enhance-your-vpn-security-posture
https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/

Leave a Reply

Your email address will not be published. Required fields are marked *