CVE-2024-24919: Check Point Security Gateways Zero-Day Vulnerability Explained

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

On May 28th, 2024, Check Point disclosed an arbitrary file read vulnerability affecting Check Point Security Gateways [1]. CVE-2024-24919 has a CVSS score of 8.6 (High) and allows adversaries to read sensitive files from vulnerable products with root privileges. If the certificate authentication is not enabled, adversaries may exploit CVE-2024-24919 for unauthenticated remote code execution. 

In this blog, we explained how the Check Point CVE-2024-24919 vulnerability works and how organizations can defend against CVE-2024-24919 attacks.

Check Point CVE-2024-24919 Vulnerability Explained

Check Point Security Gateways are used by organizations worldwide as a security barrier against various types of threats and unauthorized access to networked systems. On May 27th, 2024, Check Point saw a significant volume of malicious traffic targeting VPN devices. CVE-2024-24919 is a high-severity zero-day vulnerability affecting Check Point Security Gateways with remote Access VPN or Mobile Access Software Blades enabled. The vulnerability has a CVSS score of 8.6 (High) and can be exploited for arbitrary file read with a possibility of unauthenticated remote code execution. Due to ease of exploitability, organizations are advised to apply hot fixes to their vulnerable Check Point Security Gateway products.

Product Name

Affected Versions

Fixed Versions

Quantum Security Gateway

R77.20 (EOL)

R77.30 (EOL)

R80.10 (EOL)

R80.20 (EOL)

R80.20.x

R80.20SP (EOL)

R80.30 (EOL)

R80.30SP (EOL)

R80.40 (EOL)

R81

R81.10

R81.10.x

R81.20

R81.20

R81.10

R81

R80.40

CloudGuard Network Security

R81.20

R81.10

R81

R80.40

Quantum Maestro

R81.20

R81.10

R80.40

R80.30SP

R80.20SP

Quantum Scalable Chassis

R81.20

R81.10

R80.40

R80.30SP

R80.20SP

Quantum Spark Gateways

R81.10.x

R80.20.x

R77.20.x

How Check Point CVE-2024-24919 Exploit Works?

Check Point CVE-2024-24919 is an arbitrary file read vulnerability (CWE-200) that allows attackers to access and read sensitive files via path traversal. On its own, an arbitrary file read vulnerability would have a high severity score. However, CVE-2024-24919 allows attackers to access files with root privileges, increasing the severity. Adversaries can access critical files such as  "passwd" and "shadow" and harvest user credentials. If any multi-factor authentication is in place, attackers use harvested credentials for remote code execution.

The example HTTP POST request below exploits the CVE-2024-24919 vulnerability. 

POST /clients/MyCRL

Host: <vulnerable_CheckPoint_Security_Gateway>

Content-Length: 39 


aCSHELL/../../../../../../etc/passwd

How Picus Helps Simulate Check Point CVE-2024-24919 Attacks?

We also strongly suggest simulating the Check Point CVE-2024-24919 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as Log4Shell, Citrix Bleed, and Follina, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Check Point CVE-2024-24919 vulnerability exploitation attacks:

Threat ID

Threat Name

Attack Module

27524

Check Point Web Attack Campaign

Web Application

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Check Point CVE-2024-24919 vulnerability in preventive security controls. Currently, Picus Labs validated the following signatures for Check Point CVE-2024-24919 vulnerability:

Security Control

Signature ID

Signature Name

Check Point NGFW

asm_dynamic_prop_CVE_2024_24919


Check Point VPN Information Disclosure (CVE-2024-24919)

F5 BIG-IP

200101550

Directory Traversal attempt (Content)

F5 BIG-IP

200000190

Directory Traversal attempt "../../" (Parameter)

F5 BIG-IP

200003054

Directory Traversal attempt (../etc/) (Parameter)

F5 BIG-IP

200010168

"/etc/shadow" access (Parameter)

Forcepoint NGFW

 

HTTP_CS-Check-Point-Security-Gateway-Information-Disclosure-CVE-2024-24919

FortiWeb

050180007

Generic Attacks

FortiWeb

060070002

Generic Attacks(Extended)

Imperva SecureSphere

 

Directory Traversal - 1

Imperva SecureSphere

 

Directory Traversal - 3

Imperva SecureSphere

 

Directory Traversal - 555501307

Imperva SecureSphere

 

Directory Traversal - 6

Imperva SecureSphere

 

Directory Traversal - 8

Imperva SecureSphere

 

Directory Traversal (In Cookies/Parameters Value)

Snort

1.2053031.1

ET WEB_SPECIFIC_APPS Checkpoint Quantum Security Gateway Arbitrary File Read Attempt (CVE-2024-24919)

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof the Picus Complete Security Validation Platform.

References

[1] "Preventative Hotfix for CVE-2024-24919 - Quantum Gateway Information Disclosure." Available: https://support.checkpoint.com/results/sk/sk182336