CVE-2024-24919: Check Point Security Gateways Vulnerability Explained

TL;DR

• A serious vulnerability (CVE-2024-24919) affects Check Point Security Gateways.
• Active exploitation has been identified, and public proof of concepts have also been released.
• You should review all Check Point Security Gateways and apply the latest patches.

What is the vulnerability that affects Check Point devices (CVE-2024-24919)?

On the 28^th of May, Check Point put out an advisory for an information disclosure vulnerability (CVE-2024-24919) which affects several of their products.

The initial information from Check Point was vague, however, research from the community clearly shows that this vulnerability is worse than what Check Point had originally made out.

Within the advisory Check Point stated that:

“The vulnerability potentially allows an attacker to read certain information on Internet-connected Gateways with remote access VPN or mobile access enabled”

Research released by Watchtowr shows that CVE-2024-24919 is an arbitrary file inclusion vulnerability with elevated privileges, meaning that any unauthenticated user can read any file on the device. This is as bad as it gets for a file inclusion vulnerability, as it would allow an attacker to view information such as device password hashes and other sensitive information such as API keys or credentials within configuration files.

This vulnerability comes off the back of other similar products having similar flaws, such as the range of problems that affected Ivanti earlier this year, the vulnerabilities in FortiOS, and the more recent PaloAlto GlobalProtect vulnerability.

Which systems are at risk?

The Check Point information disclosure vulnerability affects several products and versions, these are as follows:

What do I need to do about CVE-2024-24919 and how can Intruder help?

Identify all affected Check Point devices - Intruder's Attack Surface View can help with this. To do this, navigate to Attack Surface View and search for “Check Point” as shown below:

‍

Apply the latest patches that are available for the device you have and monitor the Check Point advisory page for any further changes or updates.

The current proof of concept that has been released makes a simple HTTP POST request to the “/clients/MyCRL” endpoint as shown below:

We recommend enhanced monitoring of your devices where possible and reviewing device logs for suspicious activity going to the affected endpoint. Especially HTTP Post requests with a body that contains common Linux paths and common forms of directory traversal payloads (e.g. ../).

In addition, as part of our Rapid Response service, all Premium and Vanguard customer targets have already been scanned for this vulnerability before active Tenable or Nuclei checks were published.

Additional reading and research about CVE-2024-24919

• Research by Watchtowr
• Check Point Blog and Advisory

Changelog

30^th May 2024 – Initial post