Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

CVE-2024-24919: Check Point Security Gateway Information Disclosure Zero-Day Exploited in the Wild

Tenable Research Blog Header Zero-Day Vulnerability Exploited

Amid warnings of threat actors targeting VPN devices, Check Point has identified a zero-day information disclosure vulnerability impacting Check Point Network Security gateways which has been exploited by malicious actors.

Update May 30: The Proof of concept section has been updated to reflect the availability of public proof-of-concept details.

View Change Log

Background

On May 27, Check Point released a blog post with recommendations on security best practices. According to the original post, Check Point has been monitoring exploitation attempts in the wake of several attacks involving compromised VPN solutions from multiple vendors. During this monitoring, Check Point noticed “a small number of login attempts” that were utilizing local accounts with password-only authentication enabled. Check Point began actively engaging with customers that may have been impacted and released their blog with recommendations on improving VPN security.

On May 28, Check Point updated their blog post with a CVE (CVE-2024-24919) and explanation that the recently observed exploitation attempts were attributed to a previously unknown vulnerability and that immediate action is required to protect from this vulnerability.

Analysis

CVE-2024-24919 is an information disclosure vulnerability that can allow an attacker to access certain information on internet-connected Gateways which have been configured with IPSec VPN, remote access VPN or mobile access software blade. According to the advisory, Check Point has observed in-the-wild exploitation of this vulnerability and so far this exploit activity has been focused on devices configured with local accounts using password-only authentication.

Password-only authentication is not recommended as brute-force attacks could allow attackers to compromise accounts with weak passwords. According to Check Point, these local accounts should not be used when possible and protected by additional layers of authentication if they are in use. A hotfix has been made available to address this vulnerability. 

According to Check Point, CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways and Quantum Spark Appliances are impacted.

Proof of concept

On May 30, a public proof-of-concept (PoC) was published by security researchers.

Solution

As part of their May 28 update, Check Point released Solution ID sk182336 with information on how to apply the hotfix and what device versions are impacted. In addition, the article provides additional security recommendations and best practices including steps on verifying that the hotfix has been properly applied. The following tables reflect the hotfixes currently available:

Quantum Security Gateway R80.40, R81, R81.10 and R81.20

Hotfix VersionDownload Link
R81.20 Jumbo Hotfix Accumulator Take 54https://support.checkpoint.com/results/download/133032
R81.20 Jumbo Hotfix Accumulator Take 41https://support.checkpoint.com/results/download/133035
R81.20 Jumbo Hotfix Accumulator Take 53https://support.checkpoint.com/results/download/132956
R81.20 Jumbo Hotfix Accumulator Take 26https://support.checkpoint.com/results/download/133038
R81.10 Jumbo Hotfix Accumulator Take 141https://support.checkpoint.com/results/download/133041
R81.10 Jumbo Hotfix Accumulator Take 139https://support.checkpoint.com/results/download/132959
R81.10 Jumbo Hotfix Accumulator Take 130https://support.checkpoint.com/results/download/133044
R81.10 Jumbo Hotfix Accumulator Take 110https://support.checkpoint.com/results/download/133047
R81 Jumbo Hotfix Accumulator Take 92https://support.checkpoint.com/results/download/132962
R80.40 Jumbo Hotfix Accumulator Take 211https://support.checkpoint.com/results/download/132964
R80.40 Jumbo Hotfix Accumulator Take 206https://support.checkpoint.com/results/download/133049
R80.40 Jumbo Hotfix Accumulator Take 198https://support.checkpoint.com/results/download/133051
R80.40 Jumbo Hotfix Accumulator Take 197https://support.checkpoint.com/results/download/133053

Quantum Maestro and Quantum Scalable Chassis R80.20SP and R80.30SP

Hotfix VersionDownload Link
R80.30SP Jumbo Hotfix Accumulator Take 97https://support.checkpoint.com/results/download/132974
R80.20SP Jumbo Hotfix Accumulator Take 336https://support.checkpoint.com/results/download/132972

Quantum Spark Appliances R77.20.81, R77.20.87, R80.20.60, R81.10.08 and R81.10.10

Hotfix VersionDownload Link
R81.10.10 Quantum Spark AppliancesRefer to Solution ID sk181080
R81.10.08 Quantum Spark AppliancesRefer to Solution ID sk181079
R80.20.60 Quantum Spark AppliancesRefer to Solution ID sk179922
R77.20.87 Quantum Spark AppliancesRefer to Solution ID sk151574
R77.20.81 Quantum Spark AppliancesRefer to Solution ID sk137212

We recommend reviewing the advisory for updates on the hotfixes and recommended actions as the guidance may be frequently updated by Check Point.

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2024-24919 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Get more information

Change Log

Update May 30: The Proof of concept section has been updated to reflect the availability of public proof-of-concept details.

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.