[This blog will be updated as the situation evolves]
Update 1, 30/05/2024
Following the release of Check Point's advisory on the CVE-2024-24919 0-day vulnerability, some security companies released further intelligence about this flaw. First, Mnemonic stated that they detected exploitation attempts against their customers' environments as early as April 30 (compared to May 24 initially mentioned by Check Point).
Vulnerability researchers confirm that the vulnerability is critical as it is easy to exploit remotely since it doesn't require user interaction or any privileges on attacked Check Point security gateways with Remote Access VPN and Mobile Access enabled.
Exploiting CVE-2024-24919 allegedly enables threat actors to enumerate and extract password hashes for all local accounts, and in particular the account used to connect to Active Directory. Mnemonic saw threat actors extracting "ntds.dit", a database that stores Active Directory data on users, groups, security descriptors, and password hashes, from compromised customers within 2-3 hours. It is also believed that the attackers exploited the flaw to collect information allowing them to move laterally within the victim's network and misuse Visual Studio Code to tunnel malicious traffic. WatchTowr published a technical analysis of the vulnerability indicating that the vendor was downplaying the severity of CVE-2024-24919. Indeed, they compared a vulnerable and patched system to identify the flaw and managed to do so in less than two days. They discovered that it was in fact a path traversal leading to an arbitrary file read, which could allow a threat actor to access specific information on compromised gateways, potentially enabling them to retrieve password hashes and other sensitive data.
As a consequence of these findings, we have decided to raise the threat level of this advisory to 4 out of 5. Indeed, the attack surface is huge, with dozens of thousands of instances of Check Point currently exposed on the Internet, with a yet unknown number still vulnerable.
However, the recommendation remains the same, and organizations running the affected instance should:
If you suspect your instance to be compromised, you may reach out to our CSIRT teams, on top of warning Check Point's support, that will guide you in what to look for in your investigations.
For Orange Cyberdefense customers, our teams are currently assessing if this vulnerability is impacting your IT infrastructure, and will advise if any further actions are required.
1.1 Executive summary
On May 27, Check Point announced a vulnerability tracked as CVE-2024 with a CVSS 3.1 score of 7.5, within its Check Point Security Gateways that have Remote Access VPN or Mobile Access features enabled and affecting versions R80 and R81. This vulnerability allows an attacker to read certain information on gateways.
Check Point announced that it detected an exploitation of this vulnerability in the wild, it is thus strongly recommended to apply the patch provided by the vendor.
1.2 What you will hear
Check Point VPN vulnerability is exploited in the wild.
1.3 What it means
Remote Access is integrated into all Check Point network firewalls. It can be configured as a client-to-site VPN for access to corporate networks via VPN clients or set up as an SSL VPN Portal for web-based access. Product affected by this flaw include: CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways and Quantum Spark Appliances on versions R80 and R81.
On May 24, Check Point discovered malicious login attempts on VPN clients with remote access on old local accounts with unrecommended password and where 2FA is not available. An incident response team has been created to determine the cause of this flaw.
Following the creation of this task force, Check Point released a security advisory for this vulnerability, now tracked as CVE-2024-24919, on May 27. This vulnerability resides in all internet-connected gateway clients with Remote Access VPN or mobile access enabled.
Attacks against VPNs are common and should be taken seriously, as we saw in 2024 with the Ivanti Secure VPN crisis and the FortiOS SSL-VPN vulnerability.
We classify this advisory’s threat level as 3 out of 5.
1.4 What you should do
It is strongly recommended that you apply this patch given by Check Point to avoid any compromise on your endpoints. You can also run a script provided by Check Point to know if your environment includes local accounts with password authentication.
To minimize the risk of exploitation, we also recommend that you enable 2FA.