@EngineerActo, I understand your frustration and we (in R&D) are doing a deep learning process to see how this access can be managed better, and will then find a way to incorporate improvements into the product.

First, it's important to emphasize that the most important step is to install the HF or JHF that fixes the vulnerability. That is the most effective way to be protected.

Following that, I also understand the motivation in having more control over who can access the gateway's portals (even after patching). I want to share a bit more info and a configuration suggestion that may do what you are looking for.

It will help to understand a bit how implied rules work. Implied rules are meant to simplify configuration and help avoid situations where customers drop basic networking access that is needed for the gateway to function properly. For example, we don't want admins to have to explicitly allow Management access to push policy to the gateway, and we don't want them to get locked out if they accidentally block such access.
Implied rules can be embedded in different places in the policy. “Before drop” means that they are applied before the first drop rule. “Before last” means that they are applied just before the cleanup rule, but if the admin defined conflicting rules, those rules will be applied before those implied rules.

The implied rules that open access to the portals are defined by default as “Before drop”, which means that any explicit blocking (such as geo-fencing) in your policy will not take effect. The reasoning was that many customers define an explicit “stealth rule” for their gateway, blocking any external access to it. Without the implied rule before the policy, many wouldn’t understand why the portals that they activated aren’t working.

We actually encountered this challenge when we released Playblocks. We have a very effective playbook that fully blocks IPs of machines that attempted high-confidence IPS attacks. We saw that our blocking was very effective for access attempts into the network, but the attackers could still access the portals of the gateways. Changing the default of the implied rules could cause unexpected network changes, so we worked with the gateway R&D team to create an opt-in variable that allows customers to move the portals' implied rule to “Before last”. This keeps open access before the cleanup rule, but if those customers have a stealth rule, they need an additional rule to open access to the portals from desired networks.

Bottom line: here is the SK that moves the portals’ implied rules to “Before last”, which will make your explicit drop rules effective. You activate an environment variable on your management and it will apply to all gateways. Note that it was originally released as a hotfix, but after was integrated to Jumbo (JHF) and its been out for a while.
https://support.checkpoint.com/results/sk/sk180808

Once activated, your geo-fencing rules will take effect. Remember to explicitly open access to the portals if you have any block rules (beyond cleanup) that may block legitimate access to the portals.

I also want to relate to @the_rock's suggestion to limit external https access to the portals via https://support.checkpoint.com/results/sk/sk105740. It's not a bad measure, but AFAIK it's not hermetic as it only applies to port 443, while port 80 may still be accessed.

Super valid comment @Tomer_Noy 👌👍

Andy

@EngineerActo 

Hi EngineerActo,

We had this issue come up when we noticed a SQL injection attack attempt on our gateways through the MAB portal from a country that we have set to block in our geo protect rules.

In our case all we needed was a command to be set in the kernel.  This would explicitly block countries in the geo protect against accessing the MAB portal.

fw ctl set int fw_ignore_before_drop_rules 1

fw ctl set int -f fw_ignore_before_drop_rules 1  # to set in fwkern.conf to survive reboot.

The kernel param fw_ignore_before_drop_rules will indeed force the gateway to ignore those implied rules that open access to the portal, but it might have additional negative effects by ignoring other rules that may be needed for your environment. Also, this setting needs to be applied per gateway.

I would suggest a more precise measure for the issue of the MAB / Remote Access portals access by looking into https://support.checkpoint.com/results/sk/sk180808.

Thats what TAC guy told me as well for vpn geo blocking, but based on my lab testing, its all good, if you have the right rules in place.

Andy

Do you see aCSHELL in the packet capture anywhere?
If not, it's probably a Directory Traversal attack unrelated to the CVE.
TAC can probably confirm this.

I could find this "aCSHELL/../../../../../../../../etc/shadow" followed by some http accept packet??!!

What is happening here?

That was a log from CVE-2024-24919, how can it be unrelated to CVE-2024-24919

and now trying port 443:

I quote from sk182336:

"To prevent any attempt to exploit this vulnerability, you must protect the vulnerable Remote Access VPN gateway behind a Security Gateway with both IPS and HTTPS Inspection enabled."

So, if the Mobile Access Blade is enabled on the same gateway with only IPS enabled (and no HTTPS inspection), is the gateway still vulnerable even if the hotfix is installed? If it remains vulnerable, what steps should be taken?

Pleaseread what @Tomer_Noy wrote this week.

Andy

************************************************

The most important step to be protected is to install the relevant hotfix or jumbo with the CVE fix.
If you know that you installed the fix on your gateways, you don't need to use the script as an affirmation that you are protected.

The CVE script was created to help customers understand which gateways require the fix. The first version just tested the configuration to see if a fix is needed, and in later versions of the script we added code to remotely check the gateway if the relevant hf/jhf was installed. It's helpful for large customers with many gateways, to make sure that they didn't miss a gateway.

The script has just 3 optional outputs for each gateway. The logic is simple and just automates things that you can check manually.

1) The script says your gateway is vulnerable - this means that the gateway is using MAB or participates in Remote Access community, and the needed hotfix is not installed. For this you need to take immediate action and install the hf/jhf.

2) The script says your gateway is potentially vulnerable - this means that it's using MAB or participates in Remote Access community, so the fix is needed. However, the script was unable to verify if the hf/jhf is indeed installed. This could be due to some limitations documented in the SK (Spark, VS, ...) or it could be that there was some communication error to the gateway. The required action item is to verify manually that the fix is installed. If you did that, then you don't need to install anything else. It's OK if the gateway remains "potentially vulnerable" in the script output, because you verified the hf and the potential is gone.

3) Not vulnerable - we don't print out these gateways, so if they are not in the script output, they were not vulnerable when the script ran. It could either be that they don't use MAB or Remote Access, or that the script successfully validated that the hf/jhf is installed.

In your case, it seems that the script is saying that the gateway is potentially vulnerable (case #2). You wrote that you installed the needed hf, so it's OK and you don't need to keep running the script or install another hf / jhf.

I hope this helps.

That does not answer my question about HTTPS inspection and about IPS being installed on the same gateway?

He never mentioned any of that.

@Moudar Look how long it took to install policy in the lab with jumbo 65, 7 seconds...pretty good I say : - )

Andy

The quote regarding IPS is indeed mentioned in the SK in the "Additional Frequently Asked Questions" in a question about whether there is an IPS protection that can help mitigate attacks using this CVE.

First I want to emphasize: installing the HF or JHF that includes the CVE fix is the most important and main action item that you need to do to be protected. This will make your gateway protected from future exploit attempts using this CVE.

The IPS protection is a possible extra measure to protect gateways that were not patched with the hf/jhf. It is not required if you installed the hf/jhf with the fix. Note that this IPS protection may be triggered by attacked trying to exploit, even when they are not successful.

Also note that the IPS protection is effective when it is applied to traffic going through the gateway, not traffic going to the gateway itself. Therefore it is only relevant if there is another gateway in front of the gateway doing remote access. It was recommended to have https inspection since some of the attacks are using https encrypted traffic, while other attacks may be over http.
It's not a bad idea to have IPS and https inspection on the gateway doing remote access, but turning these on does not provide extra protection for this specific CVE.

So bottom line: install the fix via HF or JHF. If for some reason, you cannot install the fix, you can add extra protections using another gateway and IPS.

** Also note that the fix makes the gateway secure from the moment it was installed. If you suspect that the gateway was exploited before installing the fix, there are additional measures in the SK related to resetting various secrets and passwords.

@Moudar Here is all I will say. Again, I cant speak for anyone else, but this would be my argument to literally any customer out there asking these questions. Would you rather have headaches and doubts after installing only CVE patch for respected jumbo or would you rather clear any doubts by simply installing jumbo 150 for R81.10 or jumbo 65 for R81.20, which would contain ALL the fixes to begi with and would 100% show gateways are not vulnerable?

I know 2nd option is what I had been doing and so far, 6 customers had done the same and not a single problem.

I cant force anyone to do anything, but I believe logical choice is pretty clear here, at least to me 🙂

Anyway, if you need any clarification/testing, I have jumbo 65 installed in R81.20 lab with ssl inspection, mab, ra community enabled, ips, so we can do remote and perform any testing needed.

Just going to do some biking now, but will be back later, you can message me. You got my gmail as well : - )

Best,

Andy

Excellent 👍

Can you clarify if the prevention mechanism for users with local passwords defined in R80.20 and earlier that have not changed their password since upgrading to R80.30+ not allowing them to log in can be disabled with the blockSFAInternalUsers command?

Internal User, Single Factor Auth. Blocking Utility

Usage: blockSFAInternalUsers [flags]

-s show current status
-a allow internal users with password single factor to authenticate
-b block internal users with password single factor from authenticating

Default block

blockSFAInternalUsers -s

blockSFAInternalUsers: Blocked

Fairly certain this hasn’t changed but will confirm.

From sk179922:

• Effective 30 May 2024: The R82.20.60 images were replaced with Build 992002903 (replacing Build 992002850) to protect against CVE-2024-24919. See sk182357.

Exactly.  I already read that.  What does it mean?  Is the first image (Build 992002850) effective at closing the vulnerability, or not?

To me, at least, reading that logically, appears build 850 is NOT effective for that CVE, but rather new one, but I could be mistaken. Personally, I would call TAC to get an official confirmation, better have it in writting.

Andy

Yes, I agree, the statements in the SKs are not very clear. 

I opened a case with TAC.  Their reply concerning R80.20.60 Build 992002850 protecting against CVE-2024-24919:

Yes you are most certainly  protected."

As long as you have that statement in writting.

But below statement:

• Effective 30 May 2024: The R82.20.60 images were replaced with Build 992002903 (replacing Build 992002850) to protect against CVE-2024-24919. See sk182357.

I know English is not my first language, but honestly, to me, pure logic reading that stement would dictate that ONLY build 992002903 is the one effective against the CVE-2024-24919

But again, if TAC told you otherwise, then I would accept that.

Best,

Andy

Thatnks @Sergei_Shir . Hopefully, that clears any confusion you may have had @Dale_Lobb 

Best,

Andy