CVE-2024-24919: Check Point Security Gateway Information Disclosure Zero-Day Exploited in the Wild

Amid warnings of threat actors targeting VPN devices, Check Point has identified a zero-day information disclosure vulnerability impacting Check Point Network Security gateways which has been exploited by malicious actors.

Background

On May 27, Check Point released a blog post with recommendations on security best practices. According to the original post, Check Point has been monitoring exploitation attempts in the wake of several attacks involving compromised VPN solutions from multiple vendors. During this monitoring, Check Point noticed “a small number of login attempts” that were utilizing local accounts with password-only authentication enabled. Check Point began actively engaging with customers that may have been impacted and released their blog with recommendations on improving VPN security.

On May 28, Check Point updated their blog post with a CVE (CVE-2024-24919) and explanation that the recently observed exploitation attempts were attributed to a previously unknown vulnerability and that immediate action is required to protect from this vulnerability.

Analysis

CVE-2024-24919 is an information disclosure vulnerability that can allow an attacker to access certain information on internet-connected Gateways which have been configured with IPSec VPN, remote access VPN or mobile access software blade. According to the advisory, Check Point has observed in-the-wild exploitation of this vulnerability and so far this exploit activity has been focused on devices configured with local accounts using password-only authentication.

Password-only authentication is not recommended as brute-force attacks could allow attackers to compromise accounts with weak passwords. According to Check Point, these local accounts should not be used when possible and protected by additional layers of authentication if they are in use. A hotfix has been made available to address this vulnerability. 

According to Check Point, CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways and Quantum Spark Appliances are impacted.

Proof of concept

On May 30, a public proof-of-concept (PoC) was published by security researchers.

Solution

As part of their May 28 update, Check Point released Solution ID sk182336 with information on how to apply the hotfix and what device versions are impacted. In addition, the article provides additional security recommendations and best practices including steps on verifying that the hotfix has been properly applied. The following tables reflect the hotfixes currently available:

Quantum Security Gateway R80.40, R81, R81.10 and R81.20

Quantum Maestro and Quantum Scalable Chassis R80.20SP and R80.30SP

Quantum Spark Appliances R77.20.81, R77.20.87, R80.20.60, R81.10.08 and R81.10.10

We recommend reviewing the advisory for updates on the hotfixes and recommended actions as the guidance may be frequently updated by Check Point.

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2024-24919 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Get more information

• Check Point blog: Important Security Update – Stay Protected Against VPN Information Disclosure (CVE-2024-24919)
• Check Point Hotfix: Preventative Hotfix for CVE-2024-24919 - Quantum Gateway Information Disclosure (Solution ID: sk182336)
• Check Point Support: How to install a Hotfix

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.