.svg)
.svg)
On May 28th, 2024, Check Point disclosed an arbitrary file read vulnerability affecting Check Point Security Gateways [1]. CVE-2024-24919 has a CVSS score of 8.6 (High) and allows adversaries to read sensitive files from vulnerable products with root privileges. If the certificate authentication is not enabled, adversaries may exploit CVE-2024-24919 for unauthenticated remote code execution.
In this blog, we explained how the Check Point CVE-2024-24919 vulnerability works and how organizations can defend against CVE-2024-24919 attacks.
Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform
Check Point CVE-2024-24919 Vulnerability Explained
Check Point Security Gateways are used by organizations worldwide as a security barrier against various types of threats and unauthorized access to networked systems. On May 27th, 2024, Check Point saw a significant volume of malicious traffic targeting VPN devices. CVE-2024-24919 is a high-severity zero-day vulnerability affecting Check Point Security Gateways with remote Access VPN or Mobile Access Software Blades enabled. The vulnerability has a CVSS score of 8.6 (High) and can be exploited for arbitrary file read with a possibility of unauthenticated remote code execution. Due to ease of exploitability, organizations are advised to apply hot fixes to their vulnerable Check Point Security Gateway products.
|
Product Name |
Affected Versions |
Fixed Versions |
|
Quantum Security Gateway |
R77.20 (EOL) R77.30 (EOL) R80.10 (EOL) R80.20 (EOL) R80.20.x R80.20SP (EOL) R80.30 (EOL) R80.30SP (EOL) R80.40 (EOL) R81 R81.10 R81.10.x R81.20 |
R81.20 R81.10 R81 R80.40 |
|
CloudGuard Network Security |
R81.20 R81.10 R81 R80.40 |
|
|
Quantum Maestro |
R81.20 R81.10 R80.40 R80.30SP R80.20SP |
|
|
Quantum Scalable Chassis |
R81.20 R81.10 R80.40 R80.30SP R80.20SP |
|
|
Quantum Spark Gateways |
R81.10.x R80.20.x R77.20.x |
How Check Point CVE-2024-24919 Exploit Works?
Check Point CVE-2024-24919 is an arbitrary file read vulnerability (CWE-200) that allows attackers to access and read sensitive files via path traversal. On its own, an arbitrary file read vulnerability would have a high severity score. However, CVE-2024-24919 allows attackers to access files with root privileges, increasing the severity. Adversaries can access critical files such as "passwd" and "shadow" and harvest user credentials. If any multi-factor authentication is in place, attackers use harvested credentials for remote code execution.
The example HTTP POST request below exploits the CVE-2024-24919 vulnerability.
|
POST /clients/MyCRL Host: <vulnerable_CheckPoint_Security_Gateway> Content-Length: 39 aCSHELL/../../../../../../etc/passwd |
How Picus Helps Simulate Check Point CVE-2024-24919 Attacks?
We also strongly suggest simulating the Check Point CVE-2024-24919 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as Log4Shell, Citrix Bleed, and Follina, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Check Point CVE-2024-24919 vulnerability exploitation attacks:
|
Threat ID |
Threat Name |
Attack Module |
|
27524 |
Check Point Web Attack Campaign |
Web Application |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Check Point CVE-2024-24919 vulnerability in preventive security controls. Currently, Picus Labs validated the following signatures for Check Point CVE-2024-24919 vulnerability:
|
Security Control |
Signature ID |
Signature Name |
|
Check Point NGFW |
asm_dynamic_prop_CVE_2024_24919 |
Check Point VPN Information Disclosure (CVE-2024-24919) |
|
F5 BIG-IP |
200101550 |
Directory Traversal attempt (Content) |
|
F5 BIG-IP |
200000190 |
Directory Traversal attempt "../../" (Parameter) |
|
F5 BIG-IP |
200003054 |
Directory Traversal attempt (../etc/) (Parameter) |
|
F5 BIG-IP |
200010168 |
"/etc/shadow" access (Parameter) |
|
Forcepoint NGFW |
HTTP_CS-Check-Point-Security-Gateway-Information-Disclosure-CVE-2024-24919 |
|
|
FortiWeb |
050180007 |
Generic Attacks |
|
FortiWeb |
060070002 |
Generic Attacks(Extended) |
|
Imperva SecureSphere |
Directory Traversal - 1 |
|
|
Imperva SecureSphere |
Directory Traversal - 3 |
|
|
Imperva SecureSphere |
Directory Traversal - 555501307 |
|
|
Imperva SecureSphere |
Directory Traversal - 6 |
|
|
Imperva SecureSphere |
Directory Traversal - 8 |
|
|
Imperva SecureSphere |
Directory Traversal (In Cookies/Parameters Value) |
|
|
Snort |
1.2053031.1 |
ET WEB_SPECIFIC_APPS Checkpoint Quantum Security Gateway Arbitrary File Read Attempt (CVE-2024-24919) |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Complete Security Validation Platform.
References
[1] "Preventative Hotfix for CVE-2024-24919 - Quantum Gateway Information Disclosure." Available: https://support.checkpoint.com/results/sk/sk182336
