www.belgium.be Logo of the federal government

WARNING: ACTIVELY EXPLOITED VULNERABILITY IN CHECK POINT QUANTUM SECURITY GATEWAY, PATCH IMMEDIATELY!

Reference: 
Advisory #2024-078
Version: 
1.0
Affected software: 
Check Point Quantum Security Gateway
Check Point Quantum Maestro
Check Point Quantum Scalable Chassis
Check Point Quantum Spark Appliances
Check Point CloudGuard Network
Type: 
Exposure of sensitive information to an unauthorized Actor
CVE/CVSS: 

CVE-2024-24919: CVSS 7.5 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Sources

Check Point advisory: https://support.checkpoint.com/results/sk/sk182336

Check Point faq: https://support.checkpoint.com/results/sk/sk182337

Check Point blog post: https://blog.checkpoint.com/security/enhance-your-vpn-security-posture

Risks

Check Point identified a vulnerability exposing sensitive information to an unauthorised user. This vulnerability allows an attacker to gain access to the credentials of local accounts on the VPN device.

The vendor recommends against using local accounts. Use authentication using AD, LDAP, or RADIUS instead.

The Centre for Cybersecurity Belgium (CCB) recommends system administrators patch vulnerable systems as soon as possible. Also follow the additional recommendations of the vendor. Analyse system and network logs for any suspicious activity. This report has instructions to help your organisation.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

Description

Check Point observed attempts to log on internet-facing security gateways “using old VPN local-accounts relying on an unrecommended password-only authentication method.” The exploitation focuses on devices configured with local accounts using password-only authentication.

When identifying the root cause, Check Point found a vulnerability potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available.

A detailed breakdown of the vulnerability is available in the WatchTowr report linked below. Due to the risks involved and the ease of exploitation of this vulnerability Centre for Cyber Security Belgium strongly recommends patching affected devices ASAP.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable software with the highest priority, after thorough testing.

The latest version of the involved product can be found on their website: https://support.checkpoint.com/results/sk/sk182336

Additional measures
The CCB strongly recommends to follow the ‘important extra measures’ proposed by Check Point:

1. Change the password of the LDAP Account Unit
2. Reset password of local accounts connecting to VPN with password authentication
3. Prevent Local Accounts from connecting to VPN with Password Authentication
4. Renew Security Gateway's Inbound SSL Inspection server certificates
5. Renew Security Gateway's Outbound SSL Inspection CA certificate
6. Reset Gaia OS passwords for all local users

The latest version of the involved product can be found on their website: https://support.checkpoint.com/results/sk/sk182336

Monitor/Detect
The CCB recommends organisations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

Watchtowr: https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/

Mnemonic: https://www.mnemonic.io/resources/blog/advisory-check-point-remote-access-vpn-vulnerability-cve-2024-24919/