CVE-2024-24919: Check Point VPNs Spring a Leak
Back to Blog
Incident Analysis
Apr 19, 20267 min read

CVE-2024-24919: Check Point VPNs Spring a Leak

S
Shubham Singla

Alright, let's cut the crap. If you're running internet-facing Check Point Quantum Security Gateways, CloudGuard Network, Quantum Maestro, or Quantum Scalable Chassis, listen up. A critical information disclosure vulnerability, CVE-2024-24919, has been found and actively exploited in the wild. This isn't just some theoretical bug; threat actors are using it right now to pull sensitive data off your network, including password hashes. Think of it like someone found a hidden `/admin/download_config` endpoint you forgot to secure, and now they're just pulling your `.env` file and `id_rsa` keys.

An abstract depiction of data flowing out of a network gateway, symbolizing a data leak.

The Leak: What Happened?

Check Point published an urgent security advisory on May 27, 2024, detailing a zero-day vulnerability in their VPN products. Specifically, it affects installations with the Identity Awareness or Mobile Access blades enabled. This bug allows an attacker to read arbitrary files from a Security Gateway that is exposed to the internet, even without authentication.

Arbitrary file read might sound benign to the uninitiated. "So what, they can read `/etc/passwd`?" you might ask. No, my friend, it's far worse. They're not just reading public system files; they're pulling files that contain user credentials, authentication information, and potentially other sensitive configuration data. This is how you go from an unauthenticated request to having the keys to the castle.

How It Works: Technical Nitty-Gritty

The vulnerability, tracked as CVE-2024-24919, is an information disclosure bug. The technical details are still a bit cagey, but the impact is clear: unauthenticated attackers can construct a malicious request that allows them to read files from the gateway's file system. This isn't a SQL injection or a buffer overflow; it's a logical flaw in how the system handles requests related to certain services, specifically those tied to Identity Awareness and Mobile Access.

Once an attacker can read arbitrary files, the game changes entirely. They're not just sniffing traffic; they're pulling critical configuration files and hashes. Think about what's stored on a VPN gateway:

  • User credentials (local or synchronized)
  • VPN certificates and keys
  • Configuration files with sensitive parameters
  • Logs that might contain further juicy bits

The primary target observed in active exploitation? Hashed passwords. This capability maps directly to MITRE ATT&CK techniques like T1552.001 (Unsecured Credentials: Credentials in Files) and potentially T1003.003 (OS Credential Dumping: SAM) if they can access equivalent local credential stores. They're essentially doing a targeted, remote `cat /path/to/sensitive/file` on your firewall.

# Imaginary exploit scenario: curl -k "https://your-checkpoint-vpn/vpn/portal/backdoor_api?file=../../../../etc/shadow"

While the actual exploit might be more complex than a simple path traversal, the outcome is the same: unauthorized access to data that should be locked down tighter than a submarine hatch. This is a classic "read what you shouldn't" scenario, a developer's nightmare.

The Threat: Active Exploitation

This isn't a theoretical exercise for a CTF. Check Point has confirmed active exploitation in the wild, with attacks observed as early as April 2024. The attackers are reported to be well-resourced, likely state-sponsored groups, targeting government agencies and critical infrastructure. They're not messing around.

"This is a targeted campaign aimed at gaining persistent access to organizations' networks, collecting credentials, and moving laterally," Check Point stated. "The sophistication and coordination point to a well-funded adversary."

What does this mean for you? If your Check Point gateways were exposed and unpatched between April and late May, there's a non-trivial chance you've already been compromised. Attackers leveraging this vulnerability could have already established persistence, exfiltrated data (T1041: Exfiltration Over C2 Channel), and set up shop within your network, waiting for the opportune moment to strike deeper.

A network diagram showing data flowing through various nodes, with a focus on security challenges.

Patch Now, Seriously.

Check Point has released hotfixes for affected versions. This isn't a "get to it next sprint" kind of thing; this is a "patch it before you finish your coffee" urgency. The hotfixes are available for various versions:

  • Quantum Security Gateway and CloudGuard Network: R81.20, R81.10, R81, R80.40
  • Quantum Maestro and Quantum Scalable Chassis: R81.20, R81.10, R80.40

If you're running older versions, it's time to upgrade or seriously reconsider your security posture. This isn't just about applying a patch; it's about understanding the implications of a widely used security product having such a fundamental flaw.

Beyond the immediate patch, Check Point also recommends installing a specific IPS protection: "Check Point IPS protection 'Check Point VPN Information Disclosure'". This is a temporary measure, not a substitute for the hotfix, but it shows the critical nature of the vulnerability.

Actionable Takeaways

  1. Patch IMMEDIATELY: Seriously, stop reading this and apply the hotfixes for CVE-2024-24919 if you haven't already. Verify installation and reboot if necessary.
  2. Assume Compromise: If your gateways were internet-facing and unpatched during April-May, operate under the assumption that you've been breached.
  3. Audit Logs for Suspicious Activity: Look for unusual file access patterns, new user accounts, unusual VPN connections, or outbound connections from your gateways that aren't typical. Specifically, Check Point suggests looking for log entries indicating VPN_Packet_Drop for connections to the /sslvpn/portal/ URI.
  4. Reset Credentials: Force a password reset for all users who authenticate through the affected VPN, especially if you suspect credential compromise. Enable and enforce Multi-Factor Authentication (MFA) everywhere, for everyone.
  5. Network Segmentation & Zero Trust: Use this as a stark reminder that even your perimeter devices aren't infallible. Segment your networks aggressively. Apply Zero Trust principles: verify everything, assume nothing is trusted by default, even internally.
  6. Regular Vulnerability Scans & Penetration Testing: Don't just rely on vendor advisories. Regularly scan your external-facing infrastructure for vulnerabilities and conduct penetration tests to catch blind spots.
  7. Review Public-Facing Services: If you don't need Identity Awareness or Mobile Access blades exposed to the internet, disable them or restrict access. Minimize your attack surface.

This incident is a prime example of why layered security, proactive patching, and a robust incident response plan aren't just buzzwords. They're the difference between a minor headache and a full-blown organizational crisis.