Solved: Re: Important Announcement - Enhance your VPN Secu...

_Val_ · ‎2024-05-27

Update June 5, 2024

We now have fixes for CVE-2024-24919 for releases dating back to R77.30 with latest JHF.

Update June 4, 2024

The procedure to identify vulnerable Security Gateways in sk182336 - Hotfix for CVE-2024-24919 was updated.

The Gateways script was replaced with v3. The updated script checks if the Hotfix is installed.

Update June 03, 2024

Automatic interim preventative measure deployed through AutoUpdater utility

Security Gateways that were configured to the Check Point's Auto Update process are gradually receiving an update (as of June 2, 2024), which helps protect them from various attempts to exploit the CVE. This is an interim preventative measure until the Hotfix is fully installed on customers’ Security Gateways. It is important to emphasize that installing the Hotfix in sk182336 is the best way to stay protected from this vulnerability.

This is relevant for gateways running R80.40 and above. Instructions to confirm this is enabled are in sk182336.

Update June 01, 2024

Quantum Spark

We now have a specific SK related to CVE-2024-24919 for Quantum Spark appliances! : sk182357

In addition to providing links to updated firmware, this SK lists the specific remediation steps that may be necessary on Quantum Spark Appliances, which includes:

Disable the Remote Access VPN blade
Change the Administrator passwords and use complex passwords
Restrict access through "Reach My Device"
Enable Two-Factor Authentication for Administrators (R81.10.10 and higher)
Enable Two-Factor Authentication for Remote Access VPN users (R81.10.10 and higher)
Enable notifications for administrator access

cccd

In R81.10 we added a feature to improve VPN performance - named CCCD

This feature is disabled by default, and we know about few advanced customers who are using it.

Customers who enable CCCD are still vulnerable to CVE-2024-24919 even after installing the Hotfix!

YOU MUST DISABLE CCCD TO BECOME PROTECTED!

Instructions below and also on SK182336:

Run the command: vpn cccd status
The expected output is: vpn: 'cccd' is disabled.

If the output differs, stop the CCCD process by running the vpn cccd disable command.

Updated May 31, 2024

To streamline information flow and simplify actions for our customers and partners, we have consolidated all relevant details about CVE-2024-24919 and its remediation into a single SecureKnowledge article: sk182336.

Please revisit it now, as we have added some updates.

Updated May 30, 2024

To remain protected from CVE-2024-24919, it is mandatory install this on Check Point Quantum and Spark gateways following fix.

In addition, you should take the following extra security measures, which are documented in sk182336:

Change the password of the LDAP Account Unit
Reset password of local accounts connecting to Remote Access VPN with password-only authentication
Prevent Local Accounts from connecting to VPN with Password-Only Authentication
Renew the server certificates for the Inbound HTTPS Inspection on the Security Gateway
Renew the certificate for the Outbound HTTPS Inspection on the Security Gateway
Reset Gaia OS passwords for all local users
Regenerate the SSH local user certificate on the Security Gateway (see the SK for more details)
Renew the certificate for the SSH Inspection

Update May 28, 2024

Yesterday (May 27th) we delivered a solution that addresses attacks we saw on a small number of customers’ VPN remote access networks.

Today we found the root cause for these attacks and are now releasing a fix. To remain protected, it is mandatory install this on Check Point Quantum and Spark gateways following fix.

The vulnerability we found (CVE-2024-24919) affects Security Gateways with remote access VPN or mobile access blade enabled. It is potentially allowing an attacker to read certain information on Gateways once connected to the internet and enabled with remote access VPN or mobile access.

The fix we developed prevents the use of this vulnerability, once deployed on the relevant Gateways. Install this now to stay protected.

The attempts we’ve seen so far, inline with what we alerted you yesterday, are focusing on remote access on old local accounts with unrecommended password-only authentication within the known small customers we referred to yesterday. Check Point’s network is not affected by this.

More information on today’s notification can be found here.

Customer security is our top priority. We will continue to investigate this issue and provide additional updates.

For additional information, please contact Check Point Support Center or your Check Point representative.

Originally posted on May 27, 2024.

Over the past few months, we have observed increased interest of malicious groups in leveraging remote-access VPN environments as an entry point and attack vector into enterprises.

Attackers are motivated to gain access to organizations over remote-access setups so they can try to discover relevant enterprise assets and users, seeking for vulnerabilities in order to gain persistence on key enterprise assets.

We have recently witnessed compromised VPN solutions, including various cyber security vendors. In light of these events, we have been monitoring attempts to gain unauthorized access to VPNs of Check Point’s customers.

By May 24, 2024 we identified a small number of login attempts using old VPN local-accounts relying on unrecommended password-only authentication method.

We have assembled special teams of Incident Response, Research, Technical Services and Products professionals which thoroughly explored those and any other potential related attempts. Relying on these customers notifications and Check Point’s analysis, the teams found within 24 hours a few potential customers which were subject to similar attempts.

Password-only authentication is considered an unfavourable method to ensure the highest levels of security, and we recommend not to rely on this when logging-in to network infrastructure.

Check Point has released a solution, as a preventative measure to address these unauthorised remote access attempts.

We encourage our customers to enhance their VPN security posture by:

Check if you have local accounts, if they were used and by whom.
If you don’t use them – best to disable them.
If you have local accounts which you want to use and are password-only authenticated, add another layer of authentication (like certificates) to increase your environments IT security.
As said, If you are a Check Point customer, deploy our solution on your Security Gateways. This will automatically prevent unauthorized access to your VPNs by local accounts with password-only authentication method.

Learn more and receive practical guidance for configuration monitoring and practices to enhance your VPN security posture.

For any additional assistance required, please contact Check Point technical support Center or your local Check Point representative.

We value the collaboration of our customers and dedication of our teams to reach a solution which effectively addresses any such attempts.

Eran_Habad · ‎2024-05-28

Hi, we updated the script with a fix. Please try again and let know if it worked.

Sharing again the link to the file: Check Point validate remote access script

Thanks, Eran

View solution in original post

Peter_Elmer · ‎2024-05-29

In the context of CVE-2024-24919 documented in sk182336, I created this short video, showing how you can install the HF using SmartConsole.

installing_HF_SmartConsole_2.mp4

Video Player is loading.

Current Time 0:00

Duration 1:43

Loaded: 0%

Stream Type LIVE

Remaining Time 1:43

(view in My Videos)

best regards

pelmer

View solution in original post

_Val_ · ‎2024-05-29

Hi @flachance If you deployed the HF marked by the arrow, you should be good.

Screenshot 2024-05-29 at 16.06.36.png

One from May 27 is to disable password-only VPN access, and it was released before the CVE was fully analyzed. If you do not have any RAS VPN users with a static password, you don't need it. If you do have those users, you want to move them to MFA. If you cannot, and you suspect some of their credentials can become compromised, you can deploy the HF in question to cut off their access completely.

View solution in original post

Christian_Sandb · ‎2024-05-30

To help you following best practices moving away from local users with passwords, Peter Elmer created a video to demonstrate how to move such users to client certificate authentication instead. This example use P12 cert files on the clients, you can also choose to use CAPI/KeyChain enrollment which is very similar.

Peter is traveling today so I´m posting on his behalf. Please give kudos to him for this and not to me..

Christian

vpn_cert_auth.mp4

Video Player is loading.

Current Time 0:00

Duration 6:44

Loaded: 0.00%

Stream Type LIVE

Remaining Time 6:44

(view in My Videos)

View solution in original post

Jim_Oqvist · ‎2024-05-30

Hi,

In the context of the mandatory sk182336 - Preventative Hotfix for CVE-2024-24919, I have created two videos, one to clarify which hotfix is mandatory to install, what the differences between these two hotfixes are, and another video showing how to configure the gateway not to be vulnerable to this exploitation if you are unable to install the hotfix ASAP, this in order to give some you some breathing room.

I recorded this video to provide clarification on which hotfix it is mandatory for all customers to install ASAP

sk182336 - Clarification on the Hotfix to prevent exploit of CVE-2024-24919

Video Player is loading.

Current Time 0:00

Duration 0:00

Loaded: 0%

Stream Type LIVE

Remaining Time 0:00

(view in My Videos)

I recorded this video to provide clarification on how to configure the gateway not to be vulnerable if you are not able to ASAP install the sk182336 - Preventative Hotfix.

How to configure the gateway not to be vulnerable if you are not able to ASAP install the sk182336 - Preventative Hotfix.

Video Player is loading.

Current Time 0:00

Duration 0:00

Loaded: 0%

Stream Type LIVE

Remaining Time 0:00

(view in My Videos)

Here are Peter Elmers videos I am referring to in my recording

View solution in original post

Moti · ‎2024-05-30

FYI a new tool has been added to the SK https://support.checkpoint.com/results/sk/sk182336 to help you with the triage

3. Tool to identify vulnerable Security Gateways

Use the procedure below to run the script that scans all the Security Gateways configured in your Security Management Server or Domain Management Servers. The script shows a lists of Security Gateways that are vulnerable to CVE-2024-24919 and the recommended action to install the required hotfix.

View solution in original post

PhoneBoy · ‎2024-05-30

Here's a video showing how to run this script on your management to determine if you need to apply patches/mitigations for CVE-2024-24919:

CVE-2024-24919 Script for Vuln.mp4

Video Player is loading.

Current Time 0:00

Duration 0:00

Loaded: 0%

Stream Type LIVE

Remaining Time 0:00

(view in My Videos)

View solution in original post

PhoneBoy · ‎2024-05-30

If you're looking for help resetting your Gaia OS admin and expert passwords on many gateways, this video from @Joseph_Audet might help. (Note does not work with Quantum Spark appliances)

Check Point - Bulk Reset GAIA OS admin and expert passwords 2024MAY30.mp4

Video Player is loading.

Current Time 0:00

Duration 0:00

Loaded: 0%

Stream Type LIVE

Remaining Time 0:00

(view in My Videos)

View solution in original post

Moti · ‎2024-05-31

https://www.youtube.com/playlist?list=PLMAKXIJBvfAiD8JbRZJGb2Bnrr7qkI5Fb
A Playlist that will populate all relevant best practices and use cases to mitigate CVE-2024-24919. (Sourced from Evangelists, CheckMates, etc.)

Screenshot 2024-05-31 at 12.09.36.png

If you have a video candidate to be added to the list, please add it as a reply to my comment and we will review it

Thanks!

View solution in original post

_Val_ · ‎2024-05-31

This is an expected result. Quoting from the SK:

WhatsApp Image 2024-05-31 at 15.04.16.jpeg

The purpose of the script is to check if your GWs could be potentially vulnerable because of RAS VPN or/and Mobile Access blades enabled.

View solution in original post

the_rock · ‎2024-06-07

See if below post I made recently helps.

Andy

https://community.checkpoint.com/t5/Remote-Access-VPN/Geo-VPN-blocking/m-p/214040#M10593

View solution in original post

Sergei_Shir · ‎2024-06-13

We apologize for the confusion.

For each of the firmware versions that are mentioned in the sk182357 - Preventative Hotfix for CVE-2024-24919 - Quantum Spark Gateways, two firmware builds were released very close to each other:

1) A firmware build based on the previous released build for that version - this build only contained the fix to protect against the CVE.

2) A firmware build based on a more advance build - this build contains the fix to protect against this CVE + additional various fixes that accumulated over time.

Note - sk181134 - R81.10.X Resolved Issues and Enhancements will be updated very soon.

Because these two firmware builds were released very close one after another, it was decided to mention only the last released build.

To resolve this confusion, the Revision History in each relevant Home Page SK was updated accordingly.

View solution in original post

Moudar · ‎2024-05-27

I am getting the following error message when running the script:

Traceback (most recent call last):
  File "/var/tmp/VPNcheck.py", line 187, in <module>
    helper.get_relevant_objs(domain_name)
  File "/var/tmp/VPNcheck.py", line 176, in get_relevant_objs
    self.dereference_user_group_recursively(user_group)
  File "/var/tmp/VPNcheck.py", line 136, in dereference_user_group_recursively
    for member in show_res["members"]:
KeyError: 'members'

Eran_Habad · ‎2024-05-27

Thank you Moudar for sharing.

We'll look into it ASAP and update the script with a fix if needed, we may approach you offline with few questions.

Thanks again for your help,

Eran

Josef_Maier · ‎2024-05-27

I get the same error message when running the script.

Eran_Habad · ‎2024-05-27

Thank you Josef. We'll approach you offline to analyze.

Eran

Machine_Head · ‎2024-05-28

same issue in at least 3 managers of our customers

Eran_Habad · ‎2024-05-28

Hi, we updated the script with a fix. Please try again and let me know if it worked.

Sharing again the link to the file: Check Point validate remote access script

Thanks, Eran

Machine_Head · ‎2024-05-28

Hi Eran,

Thanks for the quick turn around and the hard work.

Script seems to have worked and failed at the same time:

Eran_Habad · ‎2024-05-28

Issue is resolved thanks to your help. Thank you 🙂

Eran

the_rock · ‎2024-05-28

Hey Eran,

Question. Say someone installs this on top of jumbo 53, would jumbo 54 later install okay or would there be a conflict?

Best,

Andy

Eran_Habad · ‎2024-05-28

Hi, we updated the script with a fix. Please try again and let know if it worked.

Sharing again the link to the file: Check Point validate remote access script

Thanks, Eran

Moudar · ‎2024-05-28

It's working now.

Mikael · ‎2024-05-29

The VPNcheck_v3.zip seems to fail on SmartCenters with "Failed to login to domain "

Verified on multiple instances this morning...

Chris_Atkinson · ‎2024-05-29

Can you please share some more details if this problem is ongoing - SMS or MDS and version/JHF?

CCSM R77/R80/ELITE

aheilmaier · ‎2024-05-30

It worked for me as i used the ip of the domain instead of the name.

But by now a v5 of the script is available, I used v3.

R81.20 version of the manager.

the_rock · ‎2024-05-27

I read on Google it was only 3 customers, but regardless, better be proactive, than reactive, plus MFA is something literally everyone is implementing nowdays.

Cheers,

Andy

leonarit · ‎2024-05-28

This CVE seems like a coincidence with a recent CVE of another vendor that was also related to a vul in the vpn web portal that allowed a rce, even without the user authenticating. At least on CP it seems that this exploit is only possible after successful authentication, let’s hope we don’t receive any more surprises related to this cve.

Previously > R81 the password of local user only supported 8 characters, this changed in > R81, is it possible that some fws have users with weak password and are exposed to brute force attacks? Was this the vulnerability detected? I’m curious to know what’s the real vulnerability that’s being exploited here, let’s hope that there aren’t any rce related to the multiportal.

PhoneBoy · ‎2024-05-28

The FAQ explains the situation in a little more detail: https://support.checkpoint.com/results/sk/sk182337

leonarit · ‎2024-05-28

Thanks, I had already checked that sk and I'm assuming that when CP says vulnerability, it really means possible exploit due to "weak configuration", and seeing what happened in the previous days CP decided to alert to that “weak configuration”.

This current “weak configuration” is something that was always possible, so something had to change to CP decide to announce this cve, let’s hope it was just something related the behavior observed in the previous days.

dede79 · ‎2024-05-28

So even if the script says that there are no local accounts with pw only the fix must/should be installed or not?

_Val_ · ‎2024-05-28

We recommend installing the fix in any case. It is a best practice to patch announced CVEs.

the_rock · ‎2024-05-29

Here is just my personal opinion about all this. I get its important, but Im sure there are lots of customers who might not feel comfortable installing custom fix that could have complications later when trying to install next recommended jumbo and rebooting on top of that, plus, say if customer had 10 local vpn accounts, why not change passwords for them to something more complicated? Would that not solve this issue?

Just my 2 cents.

Andy

Christian_Sandb · ‎2024-05-29

The fix will be included in all upcoming JHFs. This is not to considered as a custom fix.

If remote access is enabled the and the passwords are changed without installing the fix, the information be harvested again. Therefore, follow the steps in the SK, install the fix and then change the passwords.

the_rock · ‎2024-05-29

So just to make sure we are on the same page here, if its NOT a custom fix or jumbo hotfix, what is it considered then??

And if installed on top or current jumbo, would it cause any conflict when installing later jumbo down the road? I dont believe anyone answered that question as of yet...

Best,

Andy

Christian_Sandb · ‎2024-05-29

In sk182336 we released several new JHF takes with this fix included. More will come, also for older versions and JHF takes.

All future JHFs will include this fix. It will not cause conflicts when using future public JHF takes.

the_rock · ‎2024-05-29

Ok, thank you.

PhoneBoy · ‎2024-05-29

A custom hotfix is for a specific customer (or set of customers).
This is meant for all customers and we are making the fix available on numerous JHF releases (not just the most recent/recommended one).

Moudar · ‎2024-05-28

Will installing the Hotfix for CVE-2024-24919 block users who use password-only authentication from logging in?

_Val_ · ‎2024-05-28

Not exactly.

Quoting from SK182336:

The vulnerability potentially allows an attacker to read certain information on Gateways once connected to the Internet and enabled with Remote Access VPN or Mobile Access.

Fix will patch the information disclosure issue, but you still want to track down and secure users with static passwords, which, as said previously, is a back practice to have.

Amir_Ayalon · ‎2024-05-28

No (for SMB Firmware release)

Are you a member of CheckMates?

Important security update - stay protected against VPN Information Disclosure (CVE-2024-24919)

Update June 5, 2024

Update June 4, 2024

Update June 03, 2024

Automatic interim preventative measure deployed through AutoUpdater utility

Update June 01, 2024

Quantum Spark

cccd

Updated May 31, 2024

Updated May 30, 2024

Update May 28, 2024

Originally posted on May 27, 2024.

3. Tool to identify vulnerable Security Gateways