Check Point vulnerability far worse than thought – exploited in wild since April
106,000 customers publicly exposed, initial searches suggest.
Check Point security appliances have been exploited in the wild for at least 30 days. Attacks from over 51 IP addresses have already been listed and are rising– with a vulnerability allocated CVE-2024-24919 offering unauthenticated, remote attackers access to all resources in the gateway.
Check Point Security Gateway devices configured with either the “IPSec VPN” or “Mobile Access” software blade are vulnerable.
Yes, it’s that bad –although you would be forgiven for having not realised that from Check Point’s 23-word bug description in a May 28 security advisory. That said simply that “an information disclosure vulnerability exists in Check Point VPN. Successful exploitation of this vulnerability would allow a remote attacker to obtain sensitive information.”
On May 29, 2024, a blog by security firm mnemonic flagged observed exploitation of CVE-2024-24919 since April 30, 2024. The firm said attackers are using the vulnerability to enumerate and extract password hashes for all local accounts, including the account used to connect to Active Directory, with attackers also seen extracting the “ntds.dit” file from victims AD servers, within hours of an initial attack against a vulnerable Check Point Gateway.
A separate FAQ on CVE-2024-24919, which the advisory does not link to (unhelpful), but which Check Point updated today, paints a more detailed picture of how severe the vulnerability is – including the information that attacks have been taking place in the wild since at least April 30, that no authentication is required and no user interaction either for the exploit.
The security vendor has pushed hotfixes and is urging users among other steps to reset the LDAP password of the AD account on the Security Gateway: “Account data and hashes could be potentially exfiltrated.” (Yes, it appears an attacker can dump any file from the gateway's file system.)
Scans suggest that over 106,000 users could be publicly exposed including banks. A detailed and irreverent reverse-engineering of the hotfix by offensive security firm WatchTowr saw them conclude that the Check Point vulnerability, CVE-2024-24919, “wasn't too difficult to find, and was extremely easy to exploit once we’d located it.”
WatchTowr’s analysis suggests the bug is path traversal leading to an arbitrary file read as superuser: The company added: "It seems dangerous for the bug to be treated as anything less than a full unauthenticated RCE."
A blog from Rapid7 meanwhile notes that "No reliable method of identifying arbitrary file read exploitation was identified. However, successful web administration panel and SSH logins will be logged in /var/log/messages
, /var/log/audit/audit.log
, and /var/log/auth
."
We refer users to Check Point’s FAQ for mitigations, detection and more guidance, as well as WatchTowr's analysis and hopefully by this point guidance from security partners. This looks a lot worse than first suggested; assessing for compromise as well as exposure seems sensible.
CISA today added CVE-2024-24919 to its "known exploited" catalogue.
Expect attacks to ramp up as the exploit gets "democratised."