Skip to content
New Report: Get your copy of The 2024 State of the Internet Report! | Download Today
Blogs

The Global Impact of CVE-2024-24919 in CheckPoint VPN Gateways

Last Friday, we published our observations regarding the recent zero-day arbitrary file read vulnerability (CVE-2024-24919) affecting various Check Point VPN gateway products. 

In this follow-up, we investigate the potential impact in more depth, providing statistics on globally exposed and potentially vulnerable devices.

Executive Summary

  • As of June 3, 2024, Censys observed 13754 exposed Censys-visible CheckPoint VPN gateways running one of the software products associated with CVE-2024-24919
  • Of the exposed Quantum Spark gateways among these, just under 2% are running Check Point’s patched version, while approximately 4.6% show signs of running a potentially vulnerable version. This is likely an underestimate since most Quantum Spark gateways do not disclose their version. It’s also important to note that only devices with IPSec VPN or Mobile Access blades are vulnerable, however our perspective does not account for this as we cannot probe the internal configurations of these devices.

The Impact of CVE-2024-24919 

When assessing the impact of this vulnerability, defenders should take several factors into account:

Reasons for Concern:

  • This is a critical vulnerability that’s being actively exploited in the wild
  • The exploit requires no user interaction or privileges, making it easy to exploit remotely

Mitigating Factors:

  • This only affects gateways with specific configurations (IPSec VPN or Mobile Access software blades enabled)
  • Successful exploitation does not necessarily mean full device compromise; other circumstances need to be in place, like the presence of exposed password files on your device’s local filesystem

While the vulnerability is undoubtedly severe, its impact is somewhat limited by the specific configurations required for exploitation. 

Let’s take a look at Censys’s updated perspective as of Monday, June 3, to better understand the potential scope of this vulnerability.

Censys’s Perspective

Map of Exposures of All Affected Censys-visible Hosts as of June 3, 2024

As of Monday, June 3rd, Censys observed 13,754 internet-exposed hosts running one of the three affected Check Point software products we can reliably fingerprint in our data:

Comparison of Exposures of Each Affected Software Product

This is a minimal decrease from the 13,800 exposed hosts observed on May 3, 2024. A continual, more significant drop could indicate users deactivating VPN gateways or restricting public access. Note that not all of these instances are necessarily vulnerable, but the scope of this exposure is relatively high. The graph above highlights the extent of Quantum Spark Gateway’s exposure compared to the other software products.

As we reported last Friday, Japan has the highest concentration of exposed hosts by far at just under 6,000.

Country Distinct Hosts
Japan 6059
Italy 1012
United States 917
Israel 845
India 716
Mexico 556
Brazil 393
Belgium 295
Canada 211
Germany 191

When we examined the distribution of these exposures across various autonomous systems, we discovered that the highest concentration of hosts is the OCN NTT Communications Corporation. These hosts are likely part of OCN (Open Computer Network), a large ISP operated by NTT Communications Corporation in Japan.

Autonomous System Distinct hosts
OCN NTT Communications Corporation 2433
INFOSPHERE NTT PC Communications, Inc. 857
ASAHI-NET Asahi Net 616
VECTANT ARTERIA Networks Corporation 589
ASN-IBSNAZ 489
FBDC FreeBit Co.,Ltd. 234
PARTNER-AS 229
BIGLOBE BIGLOBE Inc. 198
SO-NET Sony Network Communications Inc. 196
RELIANCEJIO-IN Reliance Jio Infocomm Limited 186

Potentially Vulnerable Quantum Spark Gateways

In some cases, Censys was able to obtain versions for Check Point Quantum Spark Gateway instances. 

Of the 12123 Quantum Spark Gateways observed:

  • 554 (or ~4.6%) of them were identified to be running a potentially vulnerable version. Note that these instances are only affected if they’re also configured with IPSec VPN or Mobile Access enabled, which these statistics do not account for.
  • 227, or ~1.9%, were detected as running the patched version R81.10.10. 

The overwhelming majority of instances had missing or insufficient data to accurately determine the version they appear to be running.

Vulnerability Status Distinct Hosts
NULL VERSION 10722
UNKNOWN PATCH NUM 620
POTENTIALLY VULNERABLE 554
PATCHED 227

Of the 554 potentially vulnerable instances, over a quarter are geolocated in Japan. The most common vulnerable version we detected running globally was R80.20.50, with 157 hosts.

Version Distinct Hosts
R80.20.50 157
R80.20.40 141
R81.10.00 120
R80.20.35 66
R81.10.05 58
R80.20.30 11
R80.20.20 1

Around 75% of the 227 patched instances are in India, primarily on the Reliance Jio telecom network, with the rest in various telecom operators, ISPs, and broadband providers.

What can be done?

Check Point has released the following security updates to address this vulnerability:

  • Quantum Security Gateway and CloudGuard Network Security: R81.20, R81.10, R81, R80.40
  • Quantum Maestro and Quantum Scalable Chassis: R81.20, R81.10, R80.40, R80.30SP, R80.20SP
  • Quantum Spark Gateways: R81.10.x, R80.20.x, R77.20.x

Censys ASM customers can use the following query to check for vulnerable Quantum Spark Gateways in their environment: risks.name=”Vulnerable Check Point Quantum Spark Gateway [CVE-2024-24919]”

Censys ASM customers can leverage the below queries to identify all Censys-visible public-facing instances of these three products:

  1. CloudGuard Network (exposures)
  2. Quantum Security Gateways (exposures)
  3. Quantum Spark Appliances (exposures and potentially vulnerable versions)

 

About the Author

The Censys Research Team
Attack Surface Management Solutions
Learn more