Skip to content
arrow-alt-circle-up icon

Cyber Incident Call

arrow-alt-circle-up icon

00800 1744 0000

arrow-alt-circle-up icon

See all Threat Responses

On 28 May 2024, Check Point warned of a critical vulnerability (CVE-2024-24919 [4]) affecting Check Point CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark Appliances. The vulnerabilities allow an unauthenticated threat actor to read arbitrary files on the Check Point appliance which potentially includes password hashes, SSL certificates or device configurations. The vulnerability is actively being misused, at least since 7 April 2024 [1].
 
We recommend to investigate if a vulnerable version of Check Point is in use in your environment (e.g. by using the script of Check Point mentioned at [1]) , and to take immediate action by updating the device to the latest software version. Additionally, consider all data stored on that appliance as compromised and act accordingly (see section "What should you do").
 

Description

The vulnerability is tracked as CVE-2024-24919 and allows an unauthenticated threat actor to perform arbitrary file reads, potentially compromising password hashes, SSL certificates, or device configurations.
To exploit the vulnerability, the Check Point must be configured with IPsec VPN, Remote Access VPN, or Mobile Access blade enabled.
 

Impact

We determine the impact of this vulnerability to be HIGH. The threat actor is able to compromise any file that is stored on the appliance using this vulnerability [3], which can include:
  • Password hashes
  • SSL Certificates (also certificates and private keys used for HTTPS Interception)
  • Device configuration
Public sources mention a full compromise of Windows domain closely following after misuse of these Check Point vulnerabilities [3].
 
Check Point warns specifically about local VPN users that don't have MFA enabled. This might be a scenario for a break-the-glass account. But also when you don't use local VPN accounts, there can be significant impact. This is because the service account that the appliance uses to connect to LDAP servers like Active Directory can be compromised using this attack, which can have severe impact if that account has elevated privileges. 
 

Risk

We estimate the risk of this vulnerability as HIGH, as there is currently active exploitation of the vulnerability [1][3]. The primary risks associated with this vulnerability are related to privilege escalation, unauthorised access to your environment, and sensitive data exfiltration.
As of May 30, 2024, the CVSS score is 8.6 (High) [4].
 

Mitigation

If your appliances uses a vulnerable configuration (IPsec VPN, Remote Access VPN, or Mobile Access blade enabled), then run the mandatory Security Hotfix update found on the Check Point website [1].
 

What should you do?

Assess whether you have a Check Point device in your environment that has one of the blades called IPsec VPN, Remote Access VPN or Mobile Access.
Check Point and MNEMONIC suggest the following mitigation steps (see [1] and [3] for details on some of these steps):
  • Immediately update the affected systems to the patched version.
  • Remove any local users on the gateway
  • Rotate passwords / accounts for LDAP-connections from gateway to Active Directory
  • Renew the server certificates for inbound HTTPD inspection on gateway
  • Renew the certificate for outbound HTTPS inspection on the security gateway
  • Reset Gaia OS passwords for all local users
  • Regenerate the SSH local user certificate on the security gateway
  • do post-patch searches in logs for signs of compromise / anomalous behaviour / logins. For instructions, see the Frequently Asked Questions "If I suspect unauthorized access attempts, what should I do?" on the Check Point page [1].
Additionally, Northwave advises to
  • Reset the service account used by the appliance to connect to LDAP services like Active Directory
  • If you use SSL inspection, revoke the certificate for that, and remove that certificate from the trust store of all hosts in your environment
  • Check the service account used by the appliance to connect to LDAP services like Active Directory for suspicious usage
If the post-patch searches in logs return any signs of compromise, you can call the Northwave CERT at 00800 1744 0000 for further support.
 

What will Northwave do?

For customers with Managed Detection & Response (MDR) based on Microsoft Sentinel, Northwave will continuously check for known indicators of compromise [1][2].
Vulnerability Management customers will be informed in case vulnerable systems are detected in their infrastructure. 
We will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.
 
E-mail:soc@northwave.nl
Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000

Disclaimer applies, see below.

Disclaimer

Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.