A high alert notification has been issued by the Australian Cyber Security Centre (ACSC) for vulnerabilities that affect Check Point Gateways with Mobile Access blades or IPsec VPN enabled. The zero-day vulnerability, identified as CVE-2024-24919, enables attackers to access private data on susceptible systems and may also compromise large networks.
Check Point Gateways Vulnerability CVE-2024-24919 Explained
CVE-2024-24919 has been classified as an arbitrary file read vulnerability. This means that an attacker can read any infected file by exploiting the vulnerability without the need for prior authentication or special privileges. Attackers could exploit this flaw by reading any file on an affected device.
Attackers might exploit the vulnerability to steal user credentials by cracking hashed passwords or using them for phishing attacks in the future. Attackers can also launch lateral attacks by using stolen credentials to move within a network and access more sensitive systems. They can also delete or modify critical data and disrupt operations by installing malware, thereby gaining access to launch attacks within the network in the future.
The ACSC, in a high alert notice issued on May 31, confirmed the active exploitation attempts targeting unpatched Check Point devices. Check Point has released a hotfix to address the CVE-2024-24919 vulnerability. Exploiting the vulnerability could let attackers access sensitive information and allow them to move laterally within a network, potentially gaining complete control (including domain admin privileges).
Check Point Gateways: Over 15,000 Devices Vulnerable Globally
Research on ODIN, an Internet search engine built by Cyble for attack surface management and threat intelligence, found that more than 15,000 instances of Check Point devices globally are internet-facing and potentially vulnerable. ODIN users can use the query services modules http.title:“Check Point SSL Network Extender” to track the internet exposed Check Point devices on the platform. The affected Check Point products include:
- CloudGuard Network
- Quantum Maestro
- Quantum Scalable Chassis
- Quantum Security Gateways
- Quantum Spark Appliances
Impacted software versions include:
- R80.20.x, R80.20SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, and R81.20
Patch Now to Protect Against the Check Point Flaw
The ACSC has strongly advised Australian organizations using Check Point Security Gateway devices to inspect their systems for the affected software versions and to apply the corresponding patches per Check Point’s instructions. As an additional security measure, many organizations have been instructed to reset the local account credentials on patched systems to mitigate potential risks, especially since password hashes can be compromised.
A Growing Threat
While the ACSC’s warning has been specifically issued for Australian organizations, the vulnerability poses a significant global threat. Organizations worldwide should take immediate action to identify and patch affected Check Point devices. The discovery and subsequent exploitation of CVE-2024-24919 is an evolving situation.
In the next few days, we can expect:
Further Analysis: Security researchers will continue to analyze the zero-day vulnerability and its corresponding impact. Detailed technical reports outlining the exploit mechanisms and potential attack vectors could be expected.
Exploit Code Availability: Malicious actors could also release publicly available exploit code for CVE-2024-24919. This could substantially increase the number of attacks targeting vulnerable devices. Organizations should be prepared to detect and respond to such potential exploit attempts.
Patch Updates and Guidance: Check Point is likely refine and update the security hotfixes based on the ongoing analysis. Organizations should stay alert for any updates or revised patching instructions from Check Point.
Increased Attack Attempts: As news of the vulnerability spreads, there could be an expected rise in attempted attacks targeting unpatched Check Point devices. Organizations should prioritize patching and be on the lookout for any suspicious activity within their networks.
Discovery of Related Vulnerabilities: The discovery of CVE-2024-24919 might lead to the identification of similar vulnerabilities in other Check Point products or security software from different vendors. Organizations should stay informed about any related vulnerabilities and take appropriate mitigation measures.