WARNING: ACTIVELY EXPLOITED VULNERABILITY IN CHECK POINT QUANTUM SECURITY GATEWAY, PATCH IMMEDIATELY!
CVE-2024-24919: CVSS 7.5 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Sources
Check Point advisory: https://support.checkpoint.com/results/sk/sk182336
Check Point faq: https://support.checkpoint.com/results/sk/sk182337
Check Point blog post: https://blog.checkpoint.com/security/enhance-your-vpn-security-posture
Risks
Check Point identified a vulnerability exposing sensitive information to an unauthorised user. This vulnerability allows an attacker to gain access to the credentials of local accounts on the VPN device.
The vendor recommends against using local accounts. Use authentication using AD, LDAP, or RADIUS instead.
The Centre for Cybersecurity Belgium (CCB) recommends system administrators patch vulnerable systems as soon as possible. Also follow the additional recommendations of the vendor. Analyse system and network logs for any suspicious activity. This report has instructions to help your organisation.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
Description
Check Point observed attempts to log on internet-facing security gateways “using old VPN local-accounts relying on an unrecommended password-only authentication method.” The exploitation focuses on devices configured with local accounts using password-only authentication.
When identifying the root cause, Check Point found a vulnerability potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available.
A detailed breakdown of the vulnerability is available in the WatchTowr report linked below. Due to the risks involved and the ease of exploitation of this vulnerability Centre for Cyber Security Belgium strongly recommends patching affected devices ASAP.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable software with the highest priority, after thorough testing.
The latest version of the involved product can be found on their website: https://support.checkpoint.com/results/sk/sk182336
Additional measures
The CCB strongly recommends to follow the ‘important extra measures’ proposed by Check Point:
1. Change the password of the LDAP Account Unit
2. Reset password of local accounts connecting to VPN with password authentication
3. Prevent Local Accounts from connecting to VPN with Password Authentication
4. Renew Security Gateway's Inbound SSL Inspection server certificates
5. Renew Security Gateway's Outbound SSL Inspection CA certificate
6. Reset Gaia OS passwords for all local users
The latest version of the involved product can be found on their website: https://support.checkpoint.com/results/sk/sk182336
Monitor/Detect
The CCB recommends organisations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
Watchtowr: https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/