Published: 3 June 2024
Prepared by: Adam Skupien, Vulnerability Security Analyst
This alert aims to bring attention to a high-risk publicly released vulnerability, identified as CVE-2024-24919, present in multiple Check Point Security products.
The exploitation of CVE-2024-24919 may allow an unauthenticated, remote attacker to obtain sensitive information on the Security Gateway, potentially leading the attacker to move laterally across an organisation's network and gain domain admin privileges.
On 31 May 2024, the Australian Cyber Security Centre (ACSC) released an advisory addressing this vulnerability and urging organisations to apply the hotfix and implement mitigation advice provided by the vendor.
Check Point has also advised they are aware of and are continuing to investigate attempts to gain unauthorised access by exploiting this vulnerability.
At the time of this release, GreyNoise has identified eight (8) IP addresses from which attempts to exploit CVE-2024-24919 have originated.
However, Check Point's advisory release includes a larger list of IP addresses suspected of being used by threat actors to exploit this vulnerability.
Due to its active exploitation by threat actors, CVE-2024-24919 has been added to the Cybersecurity & Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalogue.
On 28 May 2024, Check Point issued a notification for a HIGH severity vulnerability identified as CVE-2024-24919 Check Point Quantum Security Gateways Information Disclosure Vulnerability.
Check Point has advised that they have observed and continue investigating unauthorised attempts to access their customers' Security Gateways leveraging this vulnerability as early as 07 April 2024.
The vulnerability is present in the following products:
running any of the following versions of Check Point Gaia software:
Hotfixes for many versions of the software for several of the products have already been released, with additional hotfixes being developed.
These should be installed as a priority to prevent exploitation of CVE-2024-24919.
For Gateways running End-of-Support versions of Gaia, Check Point has recommended the following options:
Upgrade to a supported version and install the provided Hotfix.
Disable the Remote Access and Mobile Access functionalities:
(3)Install the Access Control policy.
Managed Detection and Response (MDR) platforms can monitor an environment for suspicious activity related to the exploitation of this vulnerability.
However, as these assets are appliances, they cannot run the Security Information and Event Management (SIEM) or Endpoint Detection and Response (EDR) agent, which reduces overall visibility of the platform.
Please ensure that these devices are sending syslog data to an SIEM so that malicious indicators can be identified.
An IPS signature is available for Check Point customers who have purchased the IPS subscription service.
To prevent exploitation, the vulnerable Remote Access VPN gateway must be placed behind a Security Gateway with both IPS and HTTPS inspection enabled.
To investigate for suspicious activity, Check Point recommends the following steps:
(1) Analyse all remote access connections to local accounts with password-only authentication.Monitor your connection logs from the past three months:
blade: "Mobile Access" AND action: "Log In" AND auth_method:Password
(2) For each connection, verify that the user, time, source IP address, client name, OS name, and application are familiar based on the configured users and business needs.
(3) In case one of the connections or users is not validated, Check Point recommends invoking an incident response playbook, or to contacting Check Point Support or your local Check Point representative.
Triskele Labs DefenceShield customers with Assess service (Vulnerability Scanning) are currently being scanned.
All customers with our Monitor service (24x7x365 Managed Detection and Response) are - as always - being monitored closely for related Indicators of Compromise (IOCs) and Tactics, Techniques and Procedures (TTPs).