CVE-2024-24919 - Zero-Day Vulnerability Exploiting Check Point Security Gateways
Introduction
CVE-2024-24919, has recently been identified in Check Point Security Gateways. This high-severity information disclosure vulnerability is actively being exploited in the wild, posing significant risks to organizations using Check Point products. This blog provides a comprehensive overview of CVE-2024-24919, steps to mitigate its impact, and indicators of compromise (IOCs) to help detect potential exploitation.
How CVE-2024-24919 Exploit Works
Check Point published an advisory on May 28, 2024, detailing CVE-2024-24919, a critical vulnerability affecting various Check Point Security Gateway devices configured with the "IPSec VPN" or "Mobile Access" software blades. This vulnerability allows unauthenticated remote attackers to read arbitrary files on affected appliances without proper authorization, including sensitive files such as password hashes. Classified under CWE-200 (Information Exposure). In the case of CVE-2024-24919, attackers can access files with root privileges, significantly amplifying the severity of the exploit.
Attack Vector
The vulnerability is primarily exploited through path traversal attacks. Path traversal involves manipulating the file path in HTTP requests to access files outside the intended directory. By sending specially crafted requests, attackers can navigate the file system and read files containing sensitive information, such as password hashes and configuration details.
Steps of the Exploit
Identify a Vulnerable System:
Attackers first scan for Check Point Security Gateways that are configured with either the "IPSec VPN" or "Mobile Access" software blades. These configurations are necessary for the exploit to work.
Crafting the Malicious Request:
Attackers construct an HTTP POST request targeting a specific endpoint, such as /clients/MyCRL. The payload of this request includes a path traversal sequence designed to read sensitive files.
Example HTTP POST request:
POST /clients/MyCRL
Host: <vulnerable_CheckPoint_Security_Gateway>
Content-Length: 39
aCSHELL/../../../../../../../../etc/passwd
Execution of the Request:
The crafted request is sent to the vulnerable Check Point Security Gateway. Due to improper validation and sanitization of input paths, the gateway processes the request and accesses the specified file.
The file content, such as /etc/passwd or /etc/shadow, is then returned to the attacker. These files contain crucial information, including user account details and password hashes.
Harvesting Sensitive Information:
Attackers extract the password hashes from the returned file content. These hashes can be subjected to cracking attempts to reveal plain-text passwords, providing attackers with further access to the system.
If the gateway relies on password-only authentication, cracked passwords can be used to log in to the system, potentially allowing attackers to move laterally within the network.
Potential for Remote Code Execution
The vulnerability is even more dangerous due to the potential for unauthenticated remote code execution (RCE). If certificate-based authentication is not enabled, attackers could use harvested credentials to execute arbitrary commands on the compromised system, gaining full control over the device.
Elevated Privileges
Since CVE-2024-24919 allows access to files with root privileges, the scope of the attack is greatly expanded. Attackers can read and manipulate any file on the system, including critical system files and configurations, leading to severe consequences such as:
Credential Theft: Accessing and cracking password hashes.
Configuration Manipulation: Altering system configurations to create backdoors or disable security features.
Data Exfiltration: Extracting sensitive information stored on the gateway.
Lateral Movement: Using compromised credentials to move to other systems within the network, such as Active Directory servers.
Real-World Exploitation
Since its disclosure, CVE-2024-24919 has been actively exploited in the wild. Attackers have been observed leveraging this vulnerability to gain access to Active Directory servers and extract the ntds.dit file, which contains critical information about the domain. This rapid lateral movement highlights the urgency of mitigating the vulnerability.
Indicators of Compromise (IOCs) for CVE-2024-24919
These IOCs help in identifying whether a system has been targeted or compromised by this vulnerability. Here, we delve deeper into the IOCs associated with CVE-2024-24919 and offer guidance on how to detect and respond to them effectively.
Log File Entries
Specific log file entries can indicate successful exploitation attempts. Monitoring and analyzing these logs can provide early warning signs of compromise.
Web Administration Panel Login:
Successful logins to the web administration panel, especially from unusual IP addresses or at odd times, can indicate unauthorized access.
/var/log/audit/audit.log:
type=USER_AUTH msg=audit(1717085193.706:656): pid=65484 uid=99 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:authentication grantors=pam_dof_tally,cp_pam_tally,pam_unix acct="admin" exe="/usr/sbin/httpauth" hostname=192.168.181.1 addr=192.168.181.1 terminal=? res=success'
/var/log/messages:
May 30 08:30:25 2024 gw-6f7361 httpd2: HTTP login from 192.168.181.1 as admin
/var/log/auth:
May 30 08:30:31 2024 gw-6f7361 httpd2: HTTP login from 192.168.181.1 as admin.
SSH Login:
Log entries for SSH logins from unexpected IP addresses can also signify unauthorized access.
/var/log/messages:
May 30 08:34:24 2024 gw-6f7361 xpand[176227]: admin localhost t +volatile:clish:admin:66699 t
May 30 08:34:24 2024 gw-6f7361 xpand[176227]: User admin logged in with ReadWrite permission
/var/log/secure:
May 30 08:30:31 2024 gw-6f7361 sshd[66690]: Accepted password for admin from 192.168.181.1 port 62487 ssh2
Unusual File Access Patterns
Abnormal patterns in file access, especially files like /etc/passwd or /etc/shadow, can indicate malicious activity. These files are typically accessed during exploitation attempts to gather sensitive information such as user credentials.
Commands Executed:
Monitor for commands that read or manipulate sensitive files, which may not typically be accessed during normal operations.
cat /etc/passwd
Network Traffic Anomalies
Network traffic to and from the Check Point Security Gateway should be analyzed for anomalies that could indicate an exploitation attempt or data exfiltration.
Suspicious HTTP POST Requests:
Look for HTTP POST requests to specific endpoints like /clients/MyCRL with unusual payloads.
POST /clients/MyCRL
Host: <vulnerable_CheckPoint_Security_Gateway>
Content-Length: 39
aCSHELL/../../../../../../../../etc/passwd
Unexpected Outbound Traffic:
Data exfiltration attempts might result in unusual outbound traffic patterns. Monitor for large volumes of data being sent to external IP addresses, especially if originating from the Security Gateway.
Authentication and Access Logs:
Access attempts and authentication logs should be regularly reviewed to detect unauthorized access. Pay attention to:
Failed Login Attempts:
Multiple failed login attempts can signify brute force attacks.
Successful Logins from Unusual Locations:
Logins from IP addresses or locations not typically associated with legitimate users.
System Changes and Configurations
Unauthorized changes to system configurations or newly created accounts can be indicative of a compromise. Monitor:
Creation of New User Accounts:
Check for new user accounts that were not created by authorized administrators.
Changes in Configuration Files:
Any unexpected modifications to important configuration files could signal an exploit.
Security Software Alerts
Security tools like Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) can generate alerts for suspicious activities related to CVE-2024-24919 exploitation. Specific signatures and rules designed to detect this vulnerability should be enabled and monitored.
Example IDS/IPS Signatures:
1.2053031.1 ET WEB_SPECIFIC_APPS Checkpoint Quantum Security Gateway Arbitrary File Read Attempt (CVE-2024-24919)
Affected Versions
Vulnerabilities exist in all Security Gateway versions that come with the IPsec VPN, Remote Access, or Mobile Access software blades.
It is recommended that users apply the most recent vendor fixes. In order to fix this issue, Check Point has published the following security updates:
Quantum Security Gateway and CloudGuard Network Security: R81.20, R81.10, R81, R80.40
Quantum Maestro and Quantum Scalable Chassis: R81.20, R81.10, R80.40, R80.30SP, R80.20SP
Quantum Spark Gateways: R81.10.x, R80.20.x, R77.20.x
Mitigation Steps Post-Detection
Once IOCs have been detected, immediate steps should be taken to mitigate further risks and secure the network:
Isolate Affected Systems: Prevent further exploitation by isolating compromised systems from the network.
Reset Credentials: Change all passwords and regenerate SSH keys for affected accounts.
Strengthen Authentication: Implement multi-factor authentication (MFA) and disable unused local accounts.
Apply Hotfixes and Updates: Ensure all systems are updated with the latest patches from Check Point.
Conduct a Thorough Forensic Investigation: Analyze the extent of the compromise, including potential lateral movements and data exfiltration.
Review and Harden Security Posture: Implement additional security measures such as multi-factor authentication (MFA) and stricter access controls.
Disable CCCD: Ensure the non-default CCCD feature is disabled as instructed by Check Point..
Follow instruction for preventative Hotfix for CVE-2024-24919 from Check Point here
Conclusion
CVE-2024-24919 poses a significant threat to organizations using Check Point Security Gateways. The vulnerability’s ability to allow arbitrary file reads with root privileges makes it a high-priority issue. By understanding how the exploit works and taking prompt mitigation steps, organizations can protect their networks from potential breaches and minimize the risk posed by this critical vulnerability.
References
https://www.rapid7.com/blog/post/2024/05/30/etr-cve-2024-24919-check-point-security-gateway-information-disclosure/
https://support.checkpoint.com/results/sk/sk182336
https://www.picussecurity.com/resource/blog/cve-2024-24919-check-point-security-gateways-zero-day-vulnerability-explained
https://blog.qualys.com/vulnerabilities-threat-research/2024/06/07/check-point-security-gateway-information-disclosure-vulnerability-cve-2024-24919
https://www.intruder.io/blog/cve-2024-24919-check-point-security-gateways-vulnerability-explained