Alert essentials:
An information disclosure weakness was discovered recently in Check Point Secure Gateways. This vulnerability results in unauthorized access to information on the gateway, possibly allowing hackers to gain administrative privileges and perform lateral movement within the environment. A hotfix is available for remediation.
Detailed threat description:
Exploited in the wild since April 7, 2024, a Check Point gateway exploit has gained momentum over the past few days, and proof-of-concept code was released over the weekend.
A previous zero-day, this exploit is currently being actively exploited in the wild and has been observed exporting data from Active Directories.
The flaws tactics allow a remote, unauthenticated attacker access to the software without requiring user interaction or elevated privileges. A skilled threat actor may read password data, SSH keys, or other credentials. Specific network configurations can even allow the hacker to use the obtained credentials to perform lateral movement and fully compromise the system.
Internet-facing or perimeter networking devices are prime targets for providing threat actors access to internal networks if they are compromised.
Globally, over 13,800 devices containing the software are reportedly exposed, with reports calling this vulnerability an arbitrary file read and information disclosure.
Regardless of how the flaw is defined, exposing sensitive information is incredibly dangerous. Due to the severity, CVE-2024-24919 has been added to CISA’s Known Exploited Vulnerabilities catalog, and federal agencies have until June 20, 2024, to remediate this risk.
Mitigate or patch affected VPNs immediately to prevent compromise.
This is an evolving situation, and updates will be released as they become available.
Impacts on healthcare organizations:
A network compromise would take many or all lifesaving technologies a healthcare facility uses offline, preventing accurate patient care.
Healthcare providers store vast amounts of sensitive patient data, which is often shared through interconnected and interoperable networking. These systems cross a broad spectrum of third-party vendors with co-mingled old and new technology.
In addition to halting the use of lifesaving technology, a successful cyber attack can lead to data theft, exposing patients to identity theft, financial fraud, and even blackmail.
Affected products / versions:
- Check Point Secure Gateways with IPsec VPN in Remote Access VPN Community and the Mobile Access software blade
- CloudGuard Network
- Quantum Maestro
- Quantum Scalable Chassis
- Quantum Security Gateways
- Quantum Spark Appliances
- Check Point has advised that a Security Gateway is vulnerable if one of the following configurations is applied:
- If the “IPSec VPN” blade has been enabled and the Security Gateway device is part of the “Remote Access” VPN community.
- If the “Mobile Access” blade has been enabled.
- Impacted versions include R80.20.x, R80.20SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, and R81.20.
Gateways using only Site-to-Site IPSEC VPN are not affected.
CVEs
- CVE-2024-24919
Recommendations
Engineering recommendations:
- Engineering recommendations:
- Remove any local users on the gateway
- Immediately apply updates to impacted products
- Hotfixes are available for:
- Quantum Security Gateway
- Quantum Maestro
- Quantum Scalable Chassis
- Quantum Spark Appliances
- Reset local account credentials
- Customers who use CCCD must disable this functionality for the Hotfix to be effective. All organizations should manually confirm that the CCCD feature is disabled on every patched Check Point device. Per the vendor advisory, the command VPN CCCD status should be executed in “Expert Mode” on appliances to confirm that CCCD is disabled.
Leadership / program recommendations:
- VPNs introduce security weaknesses into networks. When deciding on a VPN for the organization, consider the following:
- Find a VPN provider that actively prevents IP address leaks
- Verify the tool does not log online activity and that it periodically purges data
- Verify the VPN has a kill switch that automatically exists specific programs if the VPN connection drops
- Ensure the tool allows for the use of multi-factor authentication (MFA)
- Conduct annual cyber exams to unearth areas of deficiency
- Develop and practice an emergency response plan
- Vet all third-party partners and verify their software updates fit within the organization’s policies
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- Check Point Advisory and Updates: https://support.checkpoint.com/results/sk/sk182336
- Censys: https://censys.com/cve-2024-24919
- GreyNoise: https://www.greynoise.io/blog/whats-going-on-with-checkpoint-cve-2024-24919
- Mnemonic mitigations: https://www.mnemonic.io/resources/blog/advisory-check-point-remote-access-vpn-vulnerability-cve-2024-24919
- Rapid7 IoCs: https://www.rapid7.com/blog/post/2024/05/30/etr-cve-2024-24919-check-point-security-gateway-information-disclosure
- Watchtowr: https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919