Executive Summary

In the ever-evolving landscape of cybersecurity, the emergence of new vulnerabilities poses significant threats to organizations worldwide. The recent discovery of CVE-2024-24919, an information disclosure vulnerability affecting Check Point's Security Gateway, has raised alarms across various sectors. This vulnerability, actively exploited in the wild, primarily targets organizations utilizing Check Point's network security solutions, particularly those configured with IPSec VPN, remote access VPN, or mobile access software blade. The potential for unauthorized access to sensitive information necessitates immediate attention and action from affected entities.

Technical Information

CVE-2024-24919 is a critical information disclosure vulnerability that compromises the security of Check Point's Security Gateways. The vulnerability arises from improper handling of authentication processes, particularly in systems configured with local accounts using password-only authentication. This flaw allows attackers to perform brute-force attacks, gaining unauthorized access to sensitive information on internet-connected gateways. The vulnerability is exacerbated by the widespread use of VPN devices, which are prime targets for exploitation.

The technical intricacies of CVE-2024-24919 involve the exploitation of authentication mechanisms, where attackers can bypass security protocols to access confidential data. The vulnerability is particularly concerning for organizations relying on Check Point's network security solutions, as it undermines the integrity of their security infrastructure. The exploitation process involves leveraging publicly available proof-of-concept (PoC) exploits, which demonstrate the feasibility of the attack. Security researchers have published several PoCs, highlighting the ease with which this vulnerability can be exploited.

The affected products include Check Point Network Security Gateways configured with IPSec VPN, remote access VPN, or mobile access software blade. The impact of this vulnerability is significant, as it allows unauthorized access to sensitive information, potentially leading to data breaches and other security incidents. Organizations using these products must prioritize the implementation of mitigation strategies to safeguard their systems.

Exploitation in the Wild

The exploitation of CVE-2024-24919 has been observed in the wild, with attackers targeting VPN devices to gain unauthorized access. The use of brute-force attacks on systems with password-only authentication has been a common method of exploitation. Indicators of Compromise (IOCs) include unusual login attempts, unauthorized access logs, and anomalies in network traffic. Organizations are advised to monitor their systems for these IOCs to detect potential exploitation attempts.

APT Groups using this vulnerability

While specific Advanced Persistent Threat (APT) groups exploiting CVE-2024-24919 have not been publicly identified, the nature of the vulnerability makes it an attractive target for APT actors. These groups often target sectors such as finance, healthcare, and government, where sensitive information is of high value. Organizations in these sectors should be particularly vigilant in implementing mitigation measures to protect against potential exploitation.

Affected Product Versions

The affected product versions include Check Point's Quantum Security Gateway versions R80.40, R81, R81.10, and R81.20. Organizations using these versions are at risk and should take immediate action to apply the necessary hotfixes and review their authentication configurations.

Workaround and Mitigation

To mitigate the risks associated with CVE-2024-24919, organizations are advised to apply the hotfix released by Check Point. The hotfix addresses the vulnerability by enhancing the security of authentication processes. Additionally, organizations should avoid using local accounts with password-only authentication and implement multi-factor authentication to strengthen their security posture. Regular monitoring of systems for unusual login attempts and unauthorized access is also recommended to detect potential exploitation attempts.

References

For further information on CVE-2024-24919 and the recommended mitigation strategies, please refer to the following resources:

• Check Point Support: Preventative Hotfix for CVE-2024-24919 (https://support.checkpoint.com/results/sk/sk182336)
• CISA Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
• GitHub - 0nin0hanz0/CVE-2024-24919-PoC (https://github.com/0nin0hanz0/CVE-2024-24919-PoC)
• GitHub - Bytenull00/CVE-2024-24919 (https://github.com/Bytenull00/CVE-2024-24919)
• GitHub - GlobalsecureAcademy/CVE-2024-24919 (https://github.com/GlobalsecureAcademy/CVE-2024-24919)
• GitHub - GoatSecurity/CVE-2024-24919 (https://github.com/GoatSecurity/CVE-2024-24919)

Rescana is here for you

At Rescana, we understand the challenges posed by emerging cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to help organizations identify and mitigate vulnerabilities, ensuring robust security postures. We are committed to supporting our customers in navigating the complexities of cybersecurity. Should you have any questions about this report or any other issue, please do not hesitate to contact us at ops@rescana.com.