Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
_Val_
Admin
Admin
Jump to solution

Important security update - stay protected against VPN Information Disclosure (CVE-2024-24919)

Update June 5, 2024

We now have fixes for CVE-2024-24919 for releases dating back to R77.30 with latest JHF.

Update June 4, 2024

The procedure to identify vulnerable Security Gateways in sk182336 - Hotfix for CVE-2024-24919 was updated.

The Gateways script was replaced with v3. The updated script checks if the Hotfix is installed.

Update June 03, 2024

Automatic interim preventative measure deployed through AutoUpdater utility

Security Gateways that were configured to the Check Point's Auto Update process are gradually receiving an update (as of June 2, 2024), which helps protect them from various attempts to exploit the CVE. This is an interim preventative measure until the Hotfix is fully installed on customers’ Security Gateways. It is important to emphasize that installing the Hotfix in sk182336 is the best way to stay protected from this vulnerability.

This is relevant for gateways running R80.40 and above. Instructions to confirm this is enabled are in sk182336.

Update June 01, 2024

Quantum Spark

We now have a specific SK related to CVE-2024-24919 for Quantum Spark appliances! : sk182357

In addition to providing links to updated firmware, this SK lists the specific remediation steps that may be necessary on Quantum Spark Appliances, which includes: 

  1. Disable the Remote Access VPN blade
  2. Change the Administrator passwords and use complex passwords
  3. Restrict access through "Reach My Device"
  4. Enable Two-Factor Authentication for Administrators (R81.10.10 and higher)
  5. Enable Two-Factor Authentication for Remote Access VPN users (R81.10.10 and higher)
  6. Enable notifications for administrator access

 

cccd

In R81.10 we added a feature to improve VPN performance - named CCCD

This feature is disabled by default, and we know about few advanced customers who are using it.

Customers who enable CCCD are still vulnerable to CVE-2024-24919 even after installing the Hotfix!

YOU MUST DISABLE CCCD TO BECOME PROTECTED!

Instructions below and also on SK182336:

 

Run the command: vpn cccd status
The expected output is: vpn: 'cccd' is disabled.

If the output differs, stop the CCCD process by running the vpn cccd disable command.

Updated May 31, 2024

To streamline information flow and simplify actions for our customers and partners, we have consolidated all relevant details about CVE-2024-24919 and its remediation into a single SecureKnowledge article: sk182336.

 

Please revisit it now, as we have added some updates.

 

 

Updated May 30, 2024

To remain protected from CVE-2024-24919, it is mandatory install this on Check Point Quantum and Spark gateways following fix.

In addition, you should take the following extra security measures, which are documented in sk182336:

  1. Change the password of the LDAP Account Unit
  2. Reset password of local accounts connecting to Remote Access VPN with password-only authentication
  3. Prevent Local Accounts from connecting to VPN with Password-Only Authentication
  4. Renew the server certificates for the Inbound HTTPS Inspection on the Security Gateway
  5. Renew the certificate for the Outbound HTTPS Inspection on the Security Gateway
  6. Reset Gaia OS passwords for all local users
  7. Regenerate the SSH local user certificate on the Security Gateway (see the SK for more details)
  8. Renew the certificate for the SSH Inspection

Update May 28, 2024

Yesterday (May 27th) we delivered a solution that addresses attacks we saw on a small number of customers’ VPN remote access networks.

Today we found the root cause for these attacks and are now releasing a fix. To remain protected, it is mandatory install this on Check Point Quantum and Spark gateways following fix.

The vulnerability we found (CVE-2024-24919) affects Security Gateways with remote access VPN or mobile access blade enabled. It is potentially allowing an attacker to read certain information on Gateways once connected to the internet and enabled with remote access VPN or mobile access.

The fix we developed prevents the use of this vulnerability, once deployed on the relevant Gateways. Install this now to stay protected.

The attempts we’ve seen so far, inline with what we alerted you yesterday, are focusing on remote access on old local accounts with unrecommended password-only authentication within the known small customers we referred to yesterday. Check Point’s network is not affected by this.

More information on today’s notification can be found here.

Customer security is our top priority. We will continue to investigate this issue and provide additional updates.

For additional information, please contact Check Point Support Center or your Check Point representative.

 

Originally posted on May 27, 2024.

Over the past few months, we have observed increased interest of malicious groups in leveraging remote-access VPN environments as an entry point and attack vector into enterprises.

Attackers are motivated to gain access to organizations over remote-access setups so they can try to discover relevant enterprise assets and users, seeking for vulnerabilities in order to gain persistence on key enterprise assets.

We have recently witnessed compromised VPN solutions, including various cyber security vendors. In light of these events, we have been monitoring attempts to gain unauthorized access to VPNs of Check Point’s customers. 

By May 24, 2024 we identified a small number of login attempts using old VPN local-accounts relying on unrecommended password-only authentication method.

We have assembled special teams of Incident Response, Research, Technical Services and Products professionals which thoroughly explored those and any other potential related attempts. Relying on these customers notifications and Check Point’s analysis, the teams found within 24 hours a few potential customers which were subject to similar attempts.

Password-only authentication is considered an unfavourable method to ensure the highest levels of security, and we recommend not to rely on this when logging-in to network infrastructure.

Check Point has released a solution, as a preventative measure to address these unauthorised remote access attempts.

We encourage our customers to enhance their VPN security posture by:

  • Check if you have local accounts, if they were used and by whom.
  • If you don’t use them – best to disable them.
  • If you have local accounts which you want to use and are password-only authenticated, add another layer of authentication (like certificates) to increase your environments IT security.
  • As said, If you are a Check Point customer, deploy our solution on your Security Gateways. This will automatically prevent unauthorized access to your VPNs by local accounts with password-only authentication method.

Learn more and receive practical guidance for configuration monitoring and practices to enhance your VPN security posture.

For any additional assistance required, please contact Check Point technical support Center or your local Check Point representative.

We value the collaboration of our customers and dedication of our teams to reach a solution which effectively addresses any such attempts.

(1)
334 Replies
Moudar
Advisor

What does (for SMB Firmware release) mean?

The patch will not block users who use password-only authentication on SMB, but it will block them on standard Gaia OS?

0 Kudos
Amir_Ayalon
Employee
Employee

I was referring to the SMB Firmware which are relevant for SMB (Spark) Appliances who are locally managed - 

700 / 1500 / 1600 / 1800 / 2000 / 1570R / 1200R

0 Kudos
Moudar
Advisor

So, I got the 6500 running 81.20 take 53 cluster, can you confirm that installing the hotfix will not block users with only passwords?

0 Kudos
_Val_
Admin
Admin

Hi @Moudar sk182336 contains two elements: a script to identify the password-only users (Part 2 of the SK) and the fix to block them.

This SK was released before we fully analyzed and fixed CVE-2024-24919 through a different solution, through sk182337, with a different hotfix addressing the vulnerability itself.

That said, you want to close the vulnerability by installing the fix from sk182337. On top of that, if you want to identify users with static passwords in order to change their credentials, use the script (but not hotfix) from sk182336 to get the list of the users.

We do recommend moving those accounts to MFA authentication, as static passwords still might be compromised. If MFA is not an option, the second best is to change static passwords.

I hope this helps, and feel free to ask if you have any further questions.

0 Kudos
Moudar
Advisor

The hotfix is now installed:

hotfix.JPG

0 Kudos
Stephan_Scholz
Participant

The FAQ is not quite clear in one point whether Site-to-Site VPN gateways are affected.

"I am using Site to Site VPN, but not using Remote Access of Mobile Access blade. Do I need to install the hotfix?"

The FAQ mentions disabling Mobile Access blade, but also disabling Allowed VPN clients. Are both measures needed, or just the first one?

Because this would make quite a difference - Allowed VPN clients are enabled by default.

 

0 Kudos
Gera_Dorfman
Employee
Employee

S2S only gateways are not affected, but both measures are required for that : disabling Mobile Access Blade AND disabling all allowed VPN clients.

 

Rene_Moeller1
Contributor

Hi all,

How does the firewall behave when I install the patch with regard to RA connections with user and local password? Will they be blocked because we have many customers who use this authentication method?
I can't find that in the FAQ's

 

Best Regards

René

0 Kudos
Amir_Ayalon
Employee
Employee

Hi 

They will not become blocked even if they use only username/password (For SMB Release!)

it will continue to operate normally.

 

Thanks

 

 

0 Kudos
Rene_Moeller1
Contributor

Hi Amir,

thank you for the fast answer.

What change the Hotfix? Yesterday the Alert described that it is unsafe to use user + password in the RA area. I had understood this as information and it is also clear since years.
But I didn't understand why you were writing patches for it and I suspected there was more to it. Today now the alert with CVE.
What exactly does the script patch, can you tell?

 

Best Regards

René

0 Kudos
_Val_
Admin
Admin

The script does not patch anything, it helps you in identifying users with static passwords. 

0 Kudos
Thomas_Eichelbu
Advisor
Advisor

Hello Folks, 

in https://support.checkpoint.com/results/sk/sk182336 in is written to change the LDAP Account Unit password:

"If a Security Gateway authenticates remote users using the Active Directory, we recommend changing the password of the AD account used by the Gateway."

why is that required?
is this just an additional security measure "to be on the safe side"
or is there the chance if the attacke breaches the GW because of CVE-2024-24919 the LDAP password can be compromised as well?

and what about local users which do not use username+password, but MFA ... here we are safe?

any idea about the LDAP password change?

best regards
Thomas

_Val_
Admin
Admin

 

In order to take extra measurements we recommend resetting the credentials of accounts stored on the security gateway.

For that, we recommend to:

  • Not use local accounts authenticating with password only to use remote access VPN.
  • Reset the password of the AD account used by the Gateway to authenticate users. 

This is a recommended measure in case a Security Gateway has been compromised, and account data and their hashes were exfiltrated, to protect your organization from a potential attacker

Wolfgang
Authority
Authority

LDAP-Account Unit user is not the only one stored on the Security Gateway. How about others like account for datacenter/cloud access (VMware etc.) ? 

Following "In order to take extra measurements we recommend resetting the credentials of accounts stored on the security gateway." Is it enough to change only the LDAP Account-Unit users password ?

Adnan_Saleem
Participant

We see ultiple takes for this CVE i.e. Take 110, 130, 139 which one we need to install?

Do we still need to install the hot fix if IPSec VPN blade is enabled (mobile access blade is disabled)?

Thanks.

 

0 Kudos
Ben_Dunkley
Contributor

Whichever one matches your currently installed jumbo hotfix version.

(Of which 139 is the current recommended jumbo take, and i think 141 is the latest?)

 

(Edit: Additional info - if you have downloaded the hotfix for the wrong hfa take - you do get an error when validation runs)

Christian_Opitz
Participant
Participant

So if the vulnerabilty was successful exploited the complete Security Gateway was compromised? You told that account data and hashes could be exfiltrated. What exactly?

- could be hashes from local administrators also stolen so have we to reset all passwords for GAiA and SmartConsole, too?

- could hashes from S2S VPN with Preshared key be stolen?

- Is the gateway itself still trusted or do we have to reinstall it?

- is there something we can check to see if the gateway were attacked by this?

Alex-
Leader Leader
Leader

We wanted to ask the same questions. We have systems that can't be directly patched but are going through emergency approval and would like to know if there are observables to determine whether attempts were made to exploit the vulnerability in the meantime.

0 Kudos
Moti
Admin
Admin

The main observable our IR teams have seen is GW logs on successful VPN login with local accounts. Nevertheless,  the patch is mandatory on all affected GW (as described in https://support.checkpoint.com/results/sk/sk182337 ) to remain protected from future attempts

also be advised that https://support.checkpoint.com/results/sk/sk182337 was updated with known IoC:

What are the suspect IP addresses used by threat actors to exploit the vulnerability?

23.227.196.88
23.227.203.36
37.19.205.180
38.180.54.104
38.180.54.168
46.59.10.72
46.183.221.194
46.183.221.197
64.176.196.84
87.206.110.89
104.207.149.95
109.134.69.241
146.70.205.62
146.70.205.188
149.88.22.67
154.47.23.111
156.146.56.136
158.62.16.45
167.61.244.201
178.236.234.123
185.213.20.20
185.217.0.242
192.71.26.106
195.14.123.132
203.160.68.12
68.183.56.130
167.99.112.236
132.147.86.201
162.158.162.254
61.92.2.219
183.96.10.14
198.44.211.76
221.154.174.74
112.163.100.151
103.61.139.226
82.180.133.120
146.185.207.0/24
193.233.128.0/22
193.233.216.0/21
217.145.225.0/24
31.134.0.0/20
37.9.40.0/21
45.135.1.0/24
45.135.2.0/23
45.155.166.0/23
5.188.218.0/23
85.239.42.0/23
88.218.44.0/24
91.132.198.0/24
91.218.122.0/23
91.245.236.0/24 
Rene_Moeller1
Contributor

Please share the Information about the Port what is in use to get this User / Hash Information. (only to see first if we see the process to grab the information)

0 Kudos
Moti
Admin
Admin

443

0 Kudos
the_rock
Legend
Legend

All super valid points @Christian_Opitz 

0 Kudos
dede79
Contributor

does it only search for these users or is also checking the auth settings of the gateway? 

What about the possibility that ldap users can login only with a single factor?

0 Kudos
_Val_
Admin
Admin

@dede79 , LDAP users are fine.

However, you need to look if you need to reset a password for LDAP unit used by a potentially vulnerable GW, see FAQs in https://support.checkpoint.com/results/sk/sk182337:

Why is it important to reset the LDAP password of the AD account on the Security Gateway?

Because the Security Gateway stores the LDAP account password, we recommend resetting it.
This is a recommended security measure in case the Security Gateway has been compromised, and account data and hashes could be potentially exfiltrated.
0 Kudos
Peter_Elmer
Employee
Employee

In the context of CVE-2024-24919 documented in sk182336, I created this short video, showing how you can install the HF using SmartConsole.

best regards

pelmer

(3)
Gojira
Collaborator
Collaborator

is the hotfix going to be integrated in the jumbo?


Gera_Dorfman
Employee
Employee

Yes. The fix will be integrated in the next jumbo. But we strongly recommend to install the fix immediately. 

Peter_Elmer
Employee
Employee

Hello @Gojira ,

I recommend tracking sk182337 as this will be updated over time. I am certain, our R&D team is reaching for the best possible options here.

-pelmer

Moti
Admin
Admin

great video Peter. thanks !

0 Kudos
the_rock
Legend
Legend

Nice!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events