Cyber Security Alert: Check Point Vulnerability

Thursday 30th May 2024

Check Point VPN Zero-Day Vulnerability

Check Point, an Israeli-Cybersecurity company, has issued a warning about a zero-day vulnerability in its network security gateway products. It has observed a surge in attacks targeting VPN devices and discovered a zero-day vulnerability being actively exploited in the wild by threat actors. The flaw, tracked as CVE-2024-24919, is a high severity information disclosure issue which allows attackers to read certain information on exposed Check Point security gateways, particularly those with remote access VPN or mobile access enabled. The vulnerability has a CVSS score of 7.5 and affects various Check Point products, including CloudGuard Network, Quantum Maestro, and Quantum Security Gateways, among others.

Prior to the discovery of CVE-2024-24919, Check Point had warned about attacks targeting its VPN devices to infiltrate enterprise networks.

Attack Details

The exploitation attempts focus on remote access on old local accounts with password-only authentication against a small number of customers. The Norwegian cybersecurity firm Mnemonic reported observing exploitation attempts since 30^th April 2024. Attackers can extract password hashes for local accounts, including those used to connect to Active Directory, leading to potential lateral movement within the network.

The threat actor used the vulnerability to extract Active Directory data within 2-3 hours after logging in with a local user. They also misused remote development extensions in Visual Studio Code to tunnel network traffic and evade detection. The technique has been used in a cyber espionage context, indicating a high level of sophistication and potential state-sponsored activity.

The targeting of VPN devices is part of a series of attacks on network perimeter applications, affecting other companies like Barracuda Networks, Cisco, and VMware. Such attacks aim to gain persistence on key enterprise assets by exploiting vulnerabilities in remote-access setups.

Check Point Recommendations

Check Point has updated its article (in references below) post-publication to include details of exploitation attempts shared by mnemonic.

On 28^th May, Checkpoint found the root cause and has released a fix. Detailed information on how to fix this can be found here:

Preventative Hotfix for CVE-2024-24919 - Quantum Gateway Information Disclosure (checkpoint.com)

Check Point has released hotfixes for the affected versions, which can be installed via the Security Gateway portal. Post-installation, the hotfix will block login attempts using weak credentials and generate a log for such events.

Hotfixes have been released for various versions of Check Point’s products

• Quantum Security Gateway and CloudGuard Network Security: R81.20, R81.10, R81, R80.404
• Quantum Maestro and Quantum Scalable Chassis: R81.20, R81.10, R80.40, R80.30SP, R80.20SP
• Quantum Spark Gateways: R81.10.x, R80.20.x, R77.20.x
• Hotfixes are also available for end-of-life (EOL) versions but require manual download and installation. A FAQ page, IPS signature details, and manual hotfix installation instructions have been provided by Check Point.

For those unable to apply the update immediately, enhancing security by updating the Active Directory password is recommended.

A ‘VPNcheck.sh’ script is available for validating remote access configurations.

Readers are encouraged to follow the platform on social media for more exclusive cybersecurity content.

• Check Point releases emergency fix for VPN zero-day exploited in attacks (bleepingcomputer.com)
• CPAI-2024-0353 - Check Point Software
• Check Point Warns of Zero-Day Attacks on its VPN Gateway Products (thehackernews.com)
• CPAI-2024-0353 - Check Point Software

---

Want to keep informed? Sign up to our Newsletter