On May 28, 2024, Check Point published an advisory for CVE-2024-24919, a high-severity information disclosure vulnerability affecting Check Point Security Gateway devices configured with either the “IPSec VPN” or “Mobile Access” software blade.

On May 29, 2024, security firm mnemonic published a blog reporting that they have observed in-the-wild exploitation of CVE-2024-24919 since April 30, 2024, with threat actors leveraging the vulnerability to enumerate and extract password hashes for all local accounts, including accounts used to connect to Active Directory. They’ve also observed adversaries moving laterally and extracting the “ntds.dit” file from compromised customers’ Active Directory servers, within hours of an initial attack against a vulnerable Check Point Gateway.

Mitigation Guidance

According to the vendor advisory, the following products are vulnerable to CVE-2024-24919:

• CloudGuard Network
• Quantum Maestro
• Quantum Scalable Chassis
• Quantum Security Gateways
• Quantum Spark Appliances

Check Point has advised that a Security Gateway is vulnerable if one of the following configuration is applied:

• If the “IPSec VPN” blade has been enabled and the Security Gateway device is part of the “Remote Access” VPN community.
• If the “Mobile Access” blade has been enabled.

Check Point has released hotfixes for Quantum Security Gateway, Quantum Maestro, Quantum Scalable Chassis, and Quantum Spark Appliances. We advise customers to refer to the Check Point advisory for the most current information on affected versions and hotfixes.

The vendor supplied hotfixes should be applied immediately. Rapid7 strongly recommends that Check Point Security Gateway customers examine their environments for signs of compromise and reset local account credentials in addition to applying vendor-provided fixes.

Check Point notes that exploit attempts their team has observed “focus on remote access scenarios with old local accounts with unrecommended password-only authentication.” The company recommends that customers check for local account usage, disable any unused local accounts, and add certificate-based authentication rather than password-only authentication. More information and recommendations on user and client authentication for remote access is available here.

IOCs

No reliable method of identifying arbitrary file read exploitation was identified. However, successful web administration panel and SSH logins will be logged in /var/log/messages, /var/log/audit/audit.log, and /var/log/auth.

Contents of /var/log/audit/audit.log after web administration panel login as the user ‘admin’ from ‘192.168.181.1’ with local PAM authentication:
type=USER_AUTH msg=audit(1717085193.706:656): pid=65484 uid=99 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:authentication grantors=pam_dof_tally,cp_pam_tally,pam_unix acct="admin" exe="/usr/sbin/httpauth" hostname=192.168.181.1 addr=192.168.181.1 terminal=? res=success'

Contents of /var/log/messages after web administration panel login as the user ‘admin’ from ‘192.168.181.1’ with local PAM authentication:
May 30 08:30:25 2024 gw-6f7361 httpd2: HTTP login from 192.168.181.1 as admin

Contents of /var/log/auth after web administration panel login as the user ‘admin’ from ‘192.168.181.1’ with local PAM authentication:
May 30 08:30:31 2024 gw-6f7361 httpd2: HTTP login from 192.168.181.1 as admin

Contents of /var/log/messages after SSH login as the user ‘admin’ from ‘192.168.181.1’ with local PAM authentication:
May 30 08:34:24 2024 gw-6f7361 xpand[176227]: admin localhost t +volatile:clish:admin:66699 t
May 30 08:34:24 2024 gw-6f7361 xpand[176227]: User admin logged in with ReadWrite permission

Contents of /var/log/secure after SSH login as the user ‘admin’ from ‘192.168.181.1’ with local PAM authentication:
May 30 08:30:31 2024 gw-6f7361 sshd[66690]: Accepted password for admin from 192.168.181.1 port 62487 ssh2

Rapid7 Customers

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2024-24919 with an unauthenticated vulnerability check shipping in today’s (Thursday, May 30) content release.

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7’s expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on post-exploitation behavior related to this vulnerability:

• Suspicious Web Server Request – Successful Path Traversal Attack
• Suspicious Web Request – Possible Check Point VPN (CVE-2024-24919) Exploitation

Updates

May 30, 2024: Added IOC section. CVE-2024-24919 has been added to the U.S. Cybersecurity and Infrastructure Agency’s (CISA) Known Exploited Vulnerabilities (KEV) list on May 30, 2024.