(1 votes, average: 5.00 out of 5, rated)
Loading...Check Point Alerts Users to Zero-Day Attacks on Their VPN Gateway Products
(1 votes, average: 5.00 out of 5, rated)Loading...
Check Point released a security alert on May 28, 2024, regarding CVE-2024-24919. This high-severity information disclosure vulnerability affects Check Point Security Gateway devices set up with the “IPSec VPN” or “Mobile Access” software blade.
Check Point is warning users about a zero-day vulnerability that threat actors have been exploiting in its Network Security gateway devices.
“The vulnerability potentially allows an attacker to read certain information on Internet-connected Gateways to remote access VPN or mobile access enabled,” according to Check Point.
Synopsis
- A zero-day arbitrary file read vulnerability, CVE-2024-24919, is actively being exploited in the wild on Check Point Security Gateways to the IPSec VPN or Mobile Access blades activated.
- Under appropriate conditions, this vulnerability could allow an unauthenticated, remote attacker to access private information such as password hashes, allowing for lateral movement and even total network compromise.
- The vulnerability should be immediately fixed by using the hotfixes that Check Point has issued and changing the local account credentials.
- This attack is concerning because Check Point is a popular provider of network appliances and VPNs and doesn’t require user input or rightsconsidered.
The issue “wasn’t too difficult to find, and was extremely easy to exploit once we’d located it,” according to Watchtower.
Threat Intelligence
Check Point knows the existence and active exploitation of a CVE-2024-24919 exploit in the wild. Furthermore, threat actors could obtain nods after entering with a local user. Dit, storage of Active Directory hashes on a Domain Controller from affected clients in roughly two to three hours, according to the cybersecurity organization Mnemonic.
Affected Assets
The following Check Point products that have the Mobile Access Software Blades or Remote Access VPN activated are vulnerable:
- Quantum Security Gateway and CloudGuard Network Security prior to R81.20, R81.10, R81, R80.40
- Quantum Maestro and Quantum Scalable Chassis prior to R81.20, R81.10, R80.40, R80.30SP, R80.20SP
- Quantum Spark Gateways prior to R81.10.x, R80.20.x, R77.20.x
Consequences
Because of this vulnerability, a remote attacker without authentication could read local files from the compromised Security Gateway, including any sensitive files that might contain password information, SSH keys, or other credentials.
This might result in lateral network movement, credential theft, and even total system compromise under the correct situations. In the wild, it has already been seen to be exploited to retrieve Active Directory Credentials.
Although Barracuda Networks, Cisco, Fortinet, Ivanti, Palo Alto Networks, and VMware devices have all been the target of similar incursions, targeting VPN equipment is merely the most recent wave of attacks aimed at perimeter applications on networks.
Identification of Exploitation Attempts Since April 30, 2024
In an advisory, the cybersecurity firm Mnemonic said that since April 30, 2024, it has been aware of exploitation efforts utilizing CVE-2024-24919 aimed at client environments.
“The vulnerability is considered critical because it allows unauthorised actors to extract information from gateways connected to the internet,” claimed the business.
“The vulnerability allows a threat actor to enumerate and extract password hashes for all local accounts, including the account used to connect to Active Directory.”
“However, it is known that password hashes, including service accounts required to connect to Active Directory, can be recovered from legacy local users using password-only authentication. Weak passwords may be exploited, which could result in additional abuse and network lateral movement.”
Because it doesn’t require user input or rights, the Norwegian company went on to classify the flaw as significant and easy to exploit.
According to information currently available, the vulnerability has also been used as a weapon to extract Active Directory data (NTDS.dit) from the network two to three hours after a local user logs in.
This has allowed unknown actors to move laterally within the network and use Visual Studio (VS) Code’s remote development extensions to tunnel network traffic to avoid detection.
According to Mnemonic, “the threat actor used approximately three hours to execute their attack chain,” the technique has been utilized in a “cyber espionage context.”
Fix Availability
To fix this issue, Check Point has released the following security updates:
- CloudGuard Network Security and Quantum Security Gateway: R81.20, R81.10, R81, R80.40
- Quantum Maestro and Quantum Scalable Chassis: R81.20, R81.10, R80.40, R80.30SP, R80.20SP
- Quantum Spark Gateways: R81.10.x, R80.20.x, R77.20.x
It is highly advised that you search your networks for the affected products and implement the necessary upgrades using the procedures described in the vendor advisory.
It should be noted that this vulnerability only affects gateways that have the Mobile Access Software Blades or the Remote Access VPN enabled, according to Check Point.
CVE-2024-24919 Impacts Numerous Devices Connected to the Internet
According to attack surface management company Censys, as of May 31, 2024, 13,802 internet hosts were found to be exposing a Cloud guard instance, Quantum Security, or Quantum Spark gateway.
Recommended: What is Quantum-safe Cryptography? Quantum vs. Post-Quantum Cryptography
CVE-2024-24919 was described as a data/information disclosure vulnerability. However, watchtower Labs has since discovered that it is a path traversal bug that allows breaking the boundaries of the current directory (“CSHELL/”) and accessing arbitrary files, including those containing information such as “/etc/shadow.”
Recommended: First Standardised Post-Quantum Cryptography (PQC) Algorithms Timeline for 2024 by NIST
