Proof-of-concept (PoC) code has been released for an actively exploited zero-day vulnerability affecting multiple Check Point Security Gateway iterations.
Disclosed on May 27 and tracked as CVE-2024-24919 (CVSS score of 8.6), the issue is described as an arbitrary file read issue in gateways that have IPSec VPN or Mobile Access blades enabled.
According to Check Point, its CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security gateways, and Quantum Spark appliances are impacted.
“Exploiting this vulnerability can result in accessing sensitive information on the Security Gateway. This, in certain scenarios, can potentially lead the attacker to move laterally and gain domain admin privileges,” Check Point explains in an advisory.
The vulnerability can be exploited over the network without privileges and does not require user interaction, the company notes. If the VPN component is enabled on the gateway, no special conditions are required for successful exploitation.
The company has released hotfixes for the bug, urging customers to install them as an initial mitigation and to implement the additional protection measures described in its advisory, including resetting Gaia OS passwords for all local users and preventing password-only authentication.
As of May 31, Censys observed more than 13,800 Check Point Security Gateways accessible from the internet, but pointed out that not all of them might be vulnerable to CVE-2024-24919. PoC code targeting the flaw was made publicly available on May 30.
“This vulnerability could allow an unauthenticated remote attacker to read local files from the affected Security Gateway, including any exposed sensitive files such as password data, SSH keys, or other credentials,” Censys notes.
According to Check Point, while an initial assessment suggested that the zero-day might have been exploited for a month, further investigation revealed that the first exploitation attempts began roughly two months ago, on April 7.
Given the ongoing attacks, the triviality of exploitation, and the fact that multiple discontinued versions of Check Point’s gateways are vulnerable, organizations are advised to apply the recommended mitigations as soon as possible.
Check Point, which has provided indicators of compromise (IoCs) to help customers identify attack attempts, notes that instances with auto updates enabled should have already received the preventive measures.
Related: CISA Warns of Exploited Linux Kernel Vulnerability
Related: Critical Veeam Vulnerability Leads to Authentication Bypass
Related: 1,400 GitLab Servers Impacted by Exploited Vulnerability
