Executive Summary:
- CVE-2024-24919 is a zero-day arbitrary file read in Check Point Security Gateways with the IPSec VPN or Mobile Access blades enabled, and it is currently being actively exploited in the wild.
- An unauthenticated remote attacker could leverage this bug to read sensitive data like password hashes, potentially enabling lateral movement and complete network compromise under the right circumstances.
- The vulnerability should be immediately remediated by applying Check Point’s released hotfixes and resetting local account credentials.
- As of May 31, 2024, Censys observed over 13,800 internet-facing devices globally exposing the affected software products. Not all of these are necessarily vulnerable.
- This exploit is concerning because it doesn’t require any user interaction or privileges, and Check Point is a widely used VPN and network appliance vendor. Perimeter network devices like VPNs are prime targets, as shown by the recent state-sponsored ArcaneDoor campaign, since they are internet-facing and can provide internal network access if compromised.
On May 28, 2024, Check Point disclosed an arbitrary file read vulnerability tracked as CVE-2024-24919 in several of their Security Gateway products. It’s currently awaiting analysis and a CVSS score from NVD.
While Check Point’s security advisory describes this as an “information disclosure vulnerability”, researchers at watchTowr discovered that it’s actually an arbitrary file read vulnerability, allowing a remote unauthorized attacker to read any file on the system. According to watchTowr, the bug “wasn’t too difficult to find, and was extremely easy to exploit once we’d located it.”
Affected assets
The vulnerability affects the following Check Point products that have the Remote Access VPN or Mobile Access Software Blades enabled:
- CloudGuard Network
- Quantum Maestro
- Quantum Scalable Chassis
- Quantum Security Gateways
- Quantum Spark Appliances
Impacted versions include R80.20.x, R80.20SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, and R81.20.
Impact
This vulnerability could allow an unauthenticated remote attacker to read local files from the affected Security Gateway, including any exposed sensitive files such as password data, SSH keys, or other credentials. Under the right circumstances, this could lead to credential theft, lateral movement within the network, and potential complete system compromise. It has already been observed being exploited in the wild to extract Active Directory Credentials.
Exploitation Status
Active exploitation of this vulnerability has been observed in the wild by multiple threat actors. A PoC was publicly released on May 30, 2024.
Check Point reported exploitation attempts going back to April 7, 2024, with the behavior focusing on “remote access scenarios with old local accounts with unrecommended password-only authentication.”
Security firm Mnemonic reported that it observed attacks within customer environments to steal Active Directory credentials dating back to April 30, 2024:
“We have observed threat actors extracting ntds.dit from compromised customers within 2-3 hours after logging in with a local user…CVE-2024-24919 was in that case used to extract user information which the threat actor then used to move laterally in the network.”
See the FAQ in Check Point’s advisory (under “What are the suspect IP addresses used by threat actors to exploit the vulnerability?”) for a list of potential threat actor IPs.
Patch availability
Check Point has released the following security updates to address this vulnerability:
- Quantum Security Gateway and CloudGuard Network Security: R81.20, R81.10, R81, R80.40
- Quantum Maestro and Quantum Scalable Chassis: R81.20, R81.10, R80.40, R80.30SP, R80.20SP
- Quantum Spark Gateways: R81.10.x, R80.20.x, R77.20.x
It is strongly recommended to check for the affected products in your networks and apply the appropriate updates based on the steps outlined in the vendor advisory. Note that only gateways with the Remote Access VPN or Mobile Access Software Blades enabled are affected by this vulnerability, according to Check Point.
Detection with Censys
Of the affected products, Censys was able to confidently fingerprint the following: CloudGuard Network, Quantum Security Gateways, and Quantum Spark Appliances.
Censys ASM customers can use the following query to check for vulnerable Quantum Spark Gateways in their environment: risks.name=”Vulnerable Check Point Quantum Spark Gateway [CVE-2024-24919]”
Censys ASM customers can leverage the below queries to identify all Censys-visible public-facing instances of these three products:
- CloudGuard Network (exposures)
- Quantum Security Gateways (exposures)
- Quantum Spark Appliances (exposures and potentially vulnerable versions)
Censys’s Perspective:
As of May 31, 2024, Censys observed 13,802 internet hosts exposing either a CloudGuard instance, Quantum Security, or Quantum Spark gateway. This included:
- 141 (1.02%) CloudGuard Network Security instances
- 1,063 (7.70%) Quantum Security gateways
- 12,598 (91.28%) Quantum Spark gateways
Exposed Quantum Spark Gateway
The greatest concentration of these hosts is in Japan, with 6,202 hosts running one of these products, followed by 1,004 hosts in Italy. Given that the network with the highest concentration of hosts in Japan is OCN NTT Communications Corporation, these may belong to the OCN (Open Computer Network) services operated by NTT Communications Corporation in Japan.
Quantum Spark Gateway and Quantum Security Gateway are similar products aimed at different audiences. Spark is designed for small to medium businesses, focusing on ease of use, while Security is engineered for midsize to large enterprises and data centers, offering more advanced features. It’s interesting that there is a disproportionate exposure of Spark Gateways compared to the other products – this could indicate that most of the affected organizations may be smaller commercial organizations.
This is a rapidly evolving situation. We’ll provide further analyses in the upcoming week as we gather more information.
References: