topic Re: Notes on Script to Identify vulnerable Security Gateways for CVE-2024-24919 in General Topics

Notes on Script to Identify vulnerable Security Gateways for CVE-2024-24919

FuzzyLogic — Thu, 30 May 2024 21:07:34 GMT

Hey everyone,

Just sharing a quick note on running the script from SK182336 to determine if any of your gateways are vulnerable. When running the script, some users have reported an error similar to: "Failed to collect Domains".

If you come across this, just double-check that you have the management server object highlighted when running your script. This error is a little ambiguous, but in SMS environments it may return simply because a gateway was highlighted instead of the management.

Hopefully, this little tidbit will save someone some time.

Regards,

Re: Notes on Script to Identify vulnerable Security Gateways for CVE-2024-24919

the_rock — Fri, 31 May 2024 01:20:39 GMT

100% true! I tested your theory and thats exactly it.

Andy

Re: Notes on Script to Identify vulnerable Security Gateways for CVE-2024-24919

Tomer_Noy — Fri, 31 May 2024 06:04:04 GMT

Thank you very much for pointing this out and sharing with the community.

We will take this feedback, and try to give a clearer message if we release another version of the script.

Re: Notes on Script to Identify vulnerable Security Gateways for CVE-2024-24919

Kevin_Stanton — Fri, 31 May 2024 10:07:44 GMT

Hey

I run the script from the Script repository on a single stand alone management server R81.10 T139, Smart Console R81.10.9600.423

After clicking on details of the Task I get the pop up from Smart console "Requested log record was not found"

Get the same results with "check-for-local-users-with-password-only-authentication-v5" and "VPNcheck_v3"

is this good, bad or indifferent?

Re: Notes on Script to Identify vulnerable Security Gateways for CVE-2024-24919

mk2 — Fri, 31 May 2024 10:20:35 GMT

We found that the script ran succesfully, but a patched R81.00 cluster is identified as vulnerable:

ALERT: Number of vulnerable Remote Access gateway(s) identified: 1
Recommendation: Install Hotfix to mitigate CVE-2024-24919 according to sk182336.

- cluster.name

EDIT: We used the check-for-CVE-2024-24919-v2.zip with check-for-CVE-2024-24919.sh in it.

Re: Notes on Script to Identify vulnerable Security Gateways for CVE-2024-24919

Tomer_Noy — Fri, 31 May 2024 10:40:03 GMT

Hi,

Thank you for the feedback. The script automates checking whether Mobile Access blade (MAB) is activated or the gateway belongs to the Remote Access VPN community. These are the manual instructions we give to customer to check potential vulnerability.

To keep things simple, we did not invoke APIs or scripts to the gateways themselves to see if the HF was installed. The outcome of the script is whether it's important to install the HF.

We will check if we can improve the text to be clearer, in case we release an updated script.

Re: Notes on Script to Identify vulnerable Security Gateways for CVE-2024-24919

Tomer_Noy — Fri, 31 May 2024 10:42:10 GMT

In your environment, do you see other logs?

The task running the script creates a log that represents the task's status. It's possible that there is a delay in indexing in your environment, or indexing is deactivated, therefore you cannot open the task details.

I suggest to try a little bit later, or run the script manually by connecting to the Management/Standalone machine's console.

Re: Notes on Script to Identify vulnerable Security Gateways for CVE-2024-24919

mk2 — Fri, 31 May 2024 10:50:12 GMT

A little bit confusing, but that explains it. Thank you very much!

Re: Notes on Script to Identify vulnerable Security Gateways for CVE-2024-24919

Kevin_Stanton — Fri, 31 May 2024 11:23:15 GMT

I am getting logs fine

Ran it manually from Home directory, on the management server.

chmod u+x VPNcheck.sh

chmod u+x check-for-local-users-with-password-only-authentication.sh

./VPNcheck.sh
No Local accounts with Password Authentication method found. No further action required.

./check-for-local-users-with-password-only-authentication.sh
No Local accounts with Password Authentication method found. No further action required.

I am asumming that "No Local accounts with Password Authentication method found. No further action required." is a good thing 🙂

Re: Notes on Script to Identify vulnerable Security Gateways for CVE-2024-24919

FuzzyLogic — Fri, 31 May 2024 13:29:48 GMT

You may want to double-check to see if you have the correct script for the the vulnerability check. When I download it from the SK182336 I get a file named "check-for-CVE-2024-24919.sh" not "VPNcheck.sh". The initial scripts released only validated whether or not local users exist with password auth and VPN access, the newer CVE script is running checks to see if the vulnerability is present. (Important Note: it is possible to not have any local users present and still be vulnerable)

Re: Notes on Script to Identify vulnerable Security Gateways for CVE-2024-24919

Kevin_Stanton — Fri, 31 May 2024 13:51:02 GMT

Ran that one all good 🙂

still adding the Hot fix regardless, 5 more clusters to go, taking longer to sort out change windows.

Looks at Checkpoint where do I send the bill for my wifes flowers, that is our weekend wrecked.

Re: Notes on Script to Identify vulnerable Security Gateways for CVE-2024-24919

Kevin_Stanton — Fri, 31 May 2024 14:00:10 GMT

I just re read this, we have a separate events server, wonders what difference this would make? if any

Re: Notes on Script to Identify vulnerable Security Gateways for CVE-2024-24919

Tomer_Noy — Tue, 04 Jun 2024 08:51:43 GMT

We just released an updated script that will iterate over potentially vulnerable gateways and will run commands to check for relevant HF or JHF fix installation.

The updated script will no longer mark patched gateways as vulnerable.
Thank you for the community feedback!

https://support.checkpoint.com/results/download/133115

Re: Notes on Script to Identify vulnerable Security Gateways for CVE-2024-24919

the_rock — Tue, 04 Jun 2024 11:22:10 GMT

Awesome, will test in later and report back.

Andy

Re: Notes on Script to Identify vulnerable Security Gateways for CVE-2024-24919

the_rock — Tue, 04 Jun 2024 13:30:45 GMT

@Tomer_Noy

Not sure if this is expected (I assume not), but here is what I experienced. Before upgrade of my cluster, it was on R81.20 jumbo 53 and I upgraded to jumbo 65, but I get below when running script from the mgmt for the cve check. I attached 2 screenshots, first worked fine BEFORE the upgrade and 2nd I get the error seen.

Thoughts?

Best,

Andy

Re: Notes on Script to Identify vulnerable Security Gateways for CVE-2024-24919

Tomer_Noy — Tue, 04 Jun 2024 13:45:23 GMT

Is this a multi-domain environment, or Security Management Server?

On what did you install JHF 65? On the gateway or management server?

The error message seems to indicate a problem in fetching data on the management, so upgrading the gateway/cluster should not have done this.

Can you try again?

Re: Notes on Script to Identify vulnerable Security Gateways for CVE-2024-24919

the_rock — Tue, 04 Jun 2024 13:50:36 GMT

Just regular SMS

I even rebooted the mgmt, same issue. Let me install jumbo 65 on the mgmt server, not sure if that will make a difference, but will let you know.

Andy

Re: Notes on Script to Identify vulnerable Security Gateways for CVE-2024-24919

the_rock — Tue, 04 Jun 2024 14:07:57 GMT

No joy 😞

I upgraded mgmt to take 65, rebooted, even deleted and re-added the script, exact same problem, except now it shows same for both gateways, not just the backup.

Super odd...

Andy

Re: Notes on Script to Identify vulnerable Security Gateways for CVE-2024-24919

the_rock — Tue, 04 Jun 2024 14:16:13 GMT

Anyway @Tomer_Noy , honestly, not a biggie, as they say, I copied the script to the mgmt via winscp and showed correct output. I want to THANK you and everyone else, @FuzzyLogic , @PhoneBoy , @_Val_ , and all the other people (hard to remember everyone now) who worked very hard on this. I know what Val meant when he said recently people are working around the clock for this issue and its most likely true. Super important to be on top of things like this, so I can say we appreciate, and Im sure I speak for others as well.

Best regards mate.

Andy

Output from the lab mgmt:

[Expert@CP-management:0]# cd /var/log/scripts/
[Expert@CP-management:0]# chmod 777 *
[Expert@CP-management:0]# ./check-for-CVE-2024-24919.sh
All gateways are not vulnerable to CVE-2024-24919. No further action required.
[Expert@CP-management:0]#

Re: Notes on Script to Identify vulnerable Security Gateways for CVE-2024-24919

the_rock — Tue, 04 Jun 2024 14:30:29 GMT

Just to update quick, @Omer_Kleinstern reached out to me directly about the script, I ended up rebooting the mgmt again, ran it all good. Thanks so much guys, I truly value and am grateful for how quickly you responded and are on top of this

Andy

👍✌️👌