Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
_Val_
Admin
Admin
Jump to solution

Important security update - stay protected against VPN Information Disclosure (CVE-2024-24919)

Update June 5, 2024

We now have fixes for CVE-2024-24919 for releases dating back to R77.30 with latest JHF.

Update June 4, 2024

The procedure to identify vulnerable Security Gateways in sk182336 - Hotfix for CVE-2024-24919 was updated.

The Gateways script was replaced with v3. The updated script checks if the Hotfix is installed.

Update June 03, 2024

Automatic interim preventative measure deployed through AutoUpdater utility

Security Gateways that were configured to the Check Point's Auto Update process are gradually receiving an update (as of June 2, 2024), which helps protect them from various attempts to exploit the CVE. This is an interim preventative measure until the Hotfix is fully installed on customers’ Security Gateways. It is important to emphasize that installing the Hotfix in sk182336 is the best way to stay protected from this vulnerability.

This is relevant for gateways running R80.40 and above. Instructions to confirm this is enabled are in sk182336.

Update June 01, 2024

Quantum Spark

We now have a specific SK related to CVE-2024-24919 for Quantum Spark appliances! : sk182357

In addition to providing links to updated firmware, this SK lists the specific remediation steps that may be necessary on Quantum Spark Appliances, which includes: 

  1. Disable the Remote Access VPN blade
  2. Change the Administrator passwords and use complex passwords
  3. Restrict access through "Reach My Device"
  4. Enable Two-Factor Authentication for Administrators (R81.10.10 and higher)
  5. Enable Two-Factor Authentication for Remote Access VPN users (R81.10.10 and higher)
  6. Enable notifications for administrator access

 

cccd

In R81.10 we added a feature to improve VPN performance - named CCCD

This feature is disabled by default, and we know about few advanced customers who are using it.

Customers who enable CCCD are still vulnerable to CVE-2024-24919 even after installing the Hotfix!

YOU MUST DISABLE CCCD TO BECOME PROTECTED!

Instructions below and also on SK182336:

 

Run the command: vpn cccd status
The expected output is: vpn: 'cccd' is disabled.

If the output differs, stop the CCCD process by running the vpn cccd disable command.

Updated May 31, 2024

To streamline information flow and simplify actions for our customers and partners, we have consolidated all relevant details about CVE-2024-24919 and its remediation into a single SecureKnowledge article: sk182336.

 

Please revisit it now, as we have added some updates.

 

 

Updated May 30, 2024

To remain protected from CVE-2024-24919, it is mandatory install this on Check Point Quantum and Spark gateways following fix.

In addition, you should take the following extra security measures, which are documented in sk182336:

  1. Change the password of the LDAP Account Unit
  2. Reset password of local accounts connecting to Remote Access VPN with password-only authentication
  3. Prevent Local Accounts from connecting to VPN with Password-Only Authentication
  4. Renew the server certificates for the Inbound HTTPS Inspection on the Security Gateway
  5. Renew the certificate for the Outbound HTTPS Inspection on the Security Gateway
  6. Reset Gaia OS passwords for all local users
  7. Regenerate the SSH local user certificate on the Security Gateway (see the SK for more details)
  8. Renew the certificate for the SSH Inspection

Update May 28, 2024

Yesterday (May 27th) we delivered a solution that addresses attacks we saw on a small number of customers’ VPN remote access networks.

Today we found the root cause for these attacks and are now releasing a fix. To remain protected, it is mandatory install this on Check Point Quantum and Spark gateways following fix.

The vulnerability we found (CVE-2024-24919) affects Security Gateways with remote access VPN or mobile access blade enabled. It is potentially allowing an attacker to read certain information on Gateways once connected to the internet and enabled with remote access VPN or mobile access.

The fix we developed prevents the use of this vulnerability, once deployed on the relevant Gateways. Install this now to stay protected.

The attempts we’ve seen so far, inline with what we alerted you yesterday, are focusing on remote access on old local accounts with unrecommended password-only authentication within the known small customers we referred to yesterday. Check Point’s network is not affected by this.

More information on today’s notification can be found here.

Customer security is our top priority. We will continue to investigate this issue and provide additional updates.

For additional information, please contact Check Point Support Center or your Check Point representative.

 

Originally posted on May 27, 2024.

Over the past few months, we have observed increased interest of malicious groups in leveraging remote-access VPN environments as an entry point and attack vector into enterprises.

Attackers are motivated to gain access to organizations over remote-access setups so they can try to discover relevant enterprise assets and users, seeking for vulnerabilities in order to gain persistence on key enterprise assets.

We have recently witnessed compromised VPN solutions, including various cyber security vendors. In light of these events, we have been monitoring attempts to gain unauthorized access to VPNs of Check Point’s customers. 

By May 24, 2024 we identified a small number of login attempts using old VPN local-accounts relying on unrecommended password-only authentication method.

We have assembled special teams of Incident Response, Research, Technical Services and Products professionals which thoroughly explored those and any other potential related attempts. Relying on these customers notifications and Check Point’s analysis, the teams found within 24 hours a few potential customers which were subject to similar attempts.

Password-only authentication is considered an unfavourable method to ensure the highest levels of security, and we recommend not to rely on this when logging-in to network infrastructure.

Check Point has released a solution, as a preventative measure to address these unauthorised remote access attempts.

We encourage our customers to enhance their VPN security posture by:

  • Check if you have local accounts, if they were used and by whom.
  • If you don’t use them – best to disable them.
  • If you have local accounts which you want to use and are password-only authenticated, add another layer of authentication (like certificates) to increase your environments IT security.
  • As said, If you are a Check Point customer, deploy our solution on your Security Gateways. This will automatically prevent unauthorized access to your VPNs by local accounts with password-only authentication method.

Learn more and receive practical guidance for configuration monitoring and practices to enhance your VPN security posture.

For any additional assistance required, please contact Check Point technical support Center or your local Check Point representative.

We value the collaboration of our customers and dedication of our teams to reach a solution which effectively addresses any such attempts.

(1)
334 Replies
dj0Nz
Advisor

Thanks a lot for all the information an effort, patches are all applied to customers. Very fast response, congratulations. But it would have been very helpful if someone could have explain, what "certain information" exactly means. In technical terms. Even the FAQ is very superficial in that case...

Mikael
Employee Employee
Employee

After having installed the patches and changed the LDAP-AU account we have issues with IA-agents not being able to log in.

We can browse the AD through the legacy SmartDashboard so the account seems to be working fine.

Has anyone else seen this issue after having applied the patch?

Gateways running R81.20 JHF53 and 41.

 

------- [ EDIT/UPDATE ] --------

I missed the fact that there's a separate username/password for SSO under the LDAP AU-settings.

These are not changed when you change the credentials for the LDAP-servers.

Added it here as a help for others to remember to change these as well 🙂

 
 

2024-05-30_13-16-14.jpg

 

Jim_Oqvist
Employee
Employee

Hi Mikael, we are not aware of such a issue and have not seen it at other customers. please open a service request with TAC to get help troubleshooting and solving the issue.

Kind Regards

Jim

0 Kudos
TomasFy
Explorer

For Change Management purposes: What is process of uninstalling this HF going? There is nothing about it in related SKs and I assume that it can be uninstalled via WebGUI or CPUSE (clish / installer)?

Please confirm.

0 Kudos
Gera_Dorfman
Employee
Employee

Yes, it can be uninstalled via regular tools like any other HF. 

0 Kudos
Moti
Admin
Admin

be advised of recent updates in https://support.checkpoint.com/results/sk/sk182337  :

May 30, 2024 update

Update scope of vulnerability to include Security Gateways with ONE of the following conditions:

  1. The IPsec VPN Blade is enabled, but ONLY when the Security Gateway is part of the Remote Access VPN community

  2. The Mobile Access Software Blade is enabled.

What are the suspect IP addresses used by threat actors to exploit the vulnerability?

23.227.196.88
23.227.203.36
37.19.205.180
38.180.54.104
38.180.54.168
46.59.10.72
46.183.221.194
46.183.221.197
64.176.196.84
87.206.110.89
104.207.149.95
109.134.69.241
146.70.205.62
146.70.205.188
149.88.22.67
154.47.23.111
156.146.56.136
158.62.16.45
167.61.244.201
178.236.234.123
185.213.20.20
185.217.0.242
192.71.26.106
195.14.123.132
203.160.68.12
68.183.56.130
167.99.112.236
132.147.86.201
162.158.162.254
61.92.2.219
183.96.10.14
198.44.211.76
221.154.174.74
112.163.100.151
103.61.139.226
82.180.133.120
146.185.207.0/24
193.233.128.0/22
193.233.216.0/21
217.145.225.0/24
31.134.0.0/20
37.9.40.0/21
45.135.1.0/24
45.135.2.0/23
45.155.166.0/23
5.188.218.0/23
85.239.42.0/23
88.218.44.0/24
91.132.198.0/24
91.218.122.0/23
91.245.236.0/24 

 

When were exploitation attempts for this vulnerability first seen?
As of May 30, our retrospective telemetry analysis shows exploitation attempts starting on April 30, 2024.

 What is the current CVSS score of this vulnerability?

As of May 30, 2024, the CVSS score is 8.6 (High), with the vector string - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Attack Vector (AV): Network - This vulnerability is exploited only through the Network.

Attack Complexity (AC): Low - An attacker can expect repeatable success when attacking the vulnerable component. There are no special conditions or circumstances required for exploit success, assuming the component (VPN) is enabled on the Security Gateway.

Privilege Required (PR): None - The attacker is unauthorized.

User Interaction (UI): None - The vulnerability can be exploited without any user interaction.

Scope (S): Changed - An exploited vulnerability can affect Security Gateway components besides the VPN.

Confidentiality (C): High - All resources within the Security Gateway are potentially accessible to the attacker and are therefore considered compromised.

Integrity (I): None - There is no loss of Security Gateway integrity.

Availability (A): None - There is no impact on the Security Gateway availability.
0 Kudos
Moudar
Advisor

All were blocked!

blocked-japan.JPG

Moudar
Advisor

I can see many accepted logs from IPs like:

45.135.246.47

45.135.202.182

45.135.201.241

45.135.255.143

Should I block the whole 45.135.2.0/23, or what is the recommended action?

0 Kudos
jgar
Contributor

Hello,
just got the first catch by the related IPS protection this morning, at one of several customers that I patched these last days.

Does it look to be a true positive?


2024-05-30_13-18-48.png

 

 

 
0 Kudos
_Val_
Admin
Admin

This pretty much can be a true one.

Just be advised, that IPS is only effective if your IPS GW is between the attacker and a device he attempts to exploit.

0 Kudos
Rene_Moeller1
Contributor

HTTPS, perfect....

here i saw the same Attack via http in the Past:

---.png

0 Kudos
Wolfgang
Authority
Authority

We have problems installing the fix on older R80.30 gateways. Jumbo take 255 installed, but not detected.

 

VPN_fix..PNG

0 Kudos
MatanYanay
Employee
Employee

Hi @Wolfgang 

Currently the HF supports only Kernel 2.6, and you have installed Kernel 3.10  

we will adjust the sk so it will be clear, and we will work to publish dedicated HF for Kernel 3.10 on top Jumbo take 255

Matan. 

Jim_Oqvist
Employee
Employee

Hi,

In the context of the mandatory sk182336 - Preventative Hotfix for CVE-2024-24919, I have created two videos, one to clarify which hotfix is mandatory to install, what the differences between these two hotfixes are, and another video showing how to configure the gateway not to be vulnerable to this exploitation if you are unable to install the hotfix ASAP, this in order to give some you some breathing room.

I recorded this video to provide clarification on which hotfix it is mandatory for all customers to install ASAP

 

I recorded this video to provide clarification on how to configure the gateway not to be vulnerable if you are not able to ASAP install the sk182336 - Preventative Hotfix.

Here are Peter Elmers videos I am referring to in my recording

  1. To help you following best practices moving away from local users with passwords, Peter Elmer create...
  2. In the context of CVE-2024-24919 documented in sk182336, Peter Elmer created this short video, showi...
(1)
Moti
Admin
Admin

Thank you !!

0 Kudos
_Val_
Admin
Admin

Thanks, very informative and right to the point

0 Kudos
JozkoMrkvicka
Mentor
Mentor

Please link/upload all videos posted here (including Peter's) to all relevant Check Point articles relevant to this topic.

Kind regards,
Jozko Mrkvicka
0 Kudos
K_R_V
Collaborator

Given the detailed information about this CVE provided by researchers, I don't understand why its severity rating is "only" 7.5. It seems Check Point is downplaying the severity of this bug.

 

 

the_rock
Legend
Legend

EXACTLY my thought. Super valid and logical point you made @K_R_V 

Andy

0 Kudos
Peter_Sandkuijl
Employee
Employee

The FAQ has the severity rating raised to 8.6 for a few hours now. This is a developing story

0 Kudos
the_rock
Legend
Legend

Thats fair, but based on all we know so far, logically, it would indicate should be raised to highest possible score. Just my take...

Andy

0 Kudos
_Val_
Admin
Admin

@the_rock There is an industry standard for calculating CVE severity score, which is followed here to the letter. 

This is not a matter of opinion. If you have an actual argument, and not just "your personal feeling", please do tell. Otherwise, there is no point. 

 

People are working on this around the clock. Noise is not helping.

Thanks

(2)
the_rock
Legend
Legend

Well, this is my argument. Based on all we know so far and the impact this seems to have, that would dictate severity to be raised pretty high, if not the highest.

Unless there is something else Im missing...

Andy

0 Kudos
the_rock
Legend
Legend
0 Kudos
Alex-
Leader Leader
Leader

So we need to change all local passwords and renew all HTTPS Inspection certs. This will be a long or short night, depending of the point of view.

0 Kudos
emanor
Employee
Employee

Hi, as of May 30, 2024, the CVSS score is 8.6 (High), with the vector string - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Attack Vector (AV): Network - This vulnerability is exploited only through the Network.

Attack Complexity (AC): Low - An attacker can expect repeatable success when attacking the vulnerable component. There are no special conditions or circumstances required for exploit success, assuming the component (VPN) is enabled on the Security Gateway.

Privilege Required (PR): None - The attacker is unauthorized.

User Interaction (UI): None - The vulnerability can be exploited without any user interaction.

Scope (S): Changed - An exploited vulnerability can affect Security Gateway components besides the VPN.

Confidentiality (C): High - All resources within the Security Gateway are potentially accessible to the attacker and are therefore considered compromised.

Integrity (I): None - There is no loss of Security Gateway integrity.

Availability (A): None - There is no impact on the Security Gateway availability.

0 Kudos
BorisL
Collaborator

Hi Amir. Can you confirm 996002908 is the latest build with the fix announced last night for 1600 appliances?

0 Kudos
Amir_Ayalon
Employee
Employee

correct

Mikael
Employee Employee
Employee

Any workaround or just wait for next version?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events