Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
FuzzyLogic
Employee
Employee

Notes on Script to Identify vulnerable Security Gateways for CVE-2024-24919

Hey everyone,

Just sharing a quick note on running the script from SK182336 to determine if any of your gateways are vulnerable. When running the script, some users have reported an error similar to: "Failed to collect Domains".

If you come across this, just double-check that you have the management server object highlighted when running your script. This error is a little ambiguous, but in SMS environments it may return simply because a gateway was highlighted instead of the management. 

Hopefully, this little tidbit will save someone some time.

Regards,

35 Replies
PhoneBoy
Admin
Admin

cpinfo -y all output please?
Can you also see if vpnf is running on your system?
Tagging @Tomer_Noy also

0 Kudos
the_rock
Legend
Legend

[Expert@CP-TEST:0]# cpinfo -y all

This is Check Point CPinfo Build 914000239 for GAIA
[MGMT]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 65
[IDA]
No hotfixes..
[CPFC]
No hotfixes..
[FW1]
HOTFIX_GOT_MGMT_AUTOUPDATE
HOTFIX_NGM_DOCTOR_AUTOUPDATE
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 65
HOTFIX_WEBCONSOLE_AUTOUPDATE
HOTFIX_VCE_R81_20_AUTOUPDATE
HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE
HOTFIX_GOT_TPCONF_AUTOUPDATE
HOTFIX_GOT_TPCONF_MGMT_AUTOUPDATE

FW1 build number:
This is Check Point Security Management Server R81.20 - Build 011
This is Check Point's software version R81.20 - Build 030
kernel: R81.20 - Build 038
[SecurePlatform]
HOTFIX_ENDER_V17_AUTOUPDATE
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 65
[CPinfo]
No hotfixes..
[PPACK]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 65
[AutoUpdater]
HOTFIX_INFRA_CONFIG_AUTOUPDATE
[CME]
HOTFIX_CME_AUTOUPDATE
[CPUpdates]
BUNDLE_ESOD_CSHELL_AUTOUPDATE Take: 20
BUNDLE_ENDER_V17_AUTOUPDATE Take: 26
BUNDLE_MINMUS_AUTOUPDATE Take: 23
BUNDLE_KERBIN_AUTOUPDATE Take: 47
BUNDLE_GOT_MGMT_AUTOUPDATE Take: 129
BUNDLE_NGM_DOCTOR_AUTOUPDATE Take: 23
BUNDLE_INFRA_CONFIG_AUTOUPDATE Take: 3
BUNDLE_QUID_AUTOUPDATE Take: 14
BUNDLE_CPOTLPAGENT_AUTOUPDATE Take: 26
BUNDLE_R81_20_JUMBO_HF_MAIN Take: 65
BUNDLE_GENERAL_AUTOUPDATE Take: 18
BUNDLE_DC_CONTENT_AUTOUPDATE Take: 20
BUNDLE_DC_INFRA_AUTOUPDATE Take: 30
BUNDLE_INFRA_AUTOUPDATE Take: 65
BUNDLE_DEP_INSTALLER_AUTOUPDATE Take: 27
BUNDLE_CPVIEWEXPORTER_AUTOUPDATE Take: 34
BUNDLE_CPOTELCOL_AUTOUPDATE Take: 93
BUNDLE_WEBCONSOLE_AUTOUPDATE Take: 104
BUNDLE_VCE_R81_20_AUTOUPDATE Take: 15
BUNDLE_TUNNEL_AUTOUPDATE Take: 107
BUNDLE_DANA_AUTOUPDATE Take: 170
BUNDLE_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE Take: 20
BUNDLE_HCP_AUTOUPDATE Take: 72
BUNDLE_GOT_TPCONF_AUTOUPDATE Take: 128
BUNDLE_GOT_TPCONF_MGMT_AUTOUPDATE Take: 39
BUNDLE_CPSDC_AUTOUPDATE Take: 34
BUNDLE_CORE_FILE_UPLOADER_AUTOUPDATE Take: 21
BUNDLE_CME_AUTOUPDATE Take: 271
[DIAG]
No hotfixes..
[Reporting Module]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 65
[CPuepm]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 65
[VSEC]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 65
[CPDepCon]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 65
[CPRepMan]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 65
[CVPN]
HOTFIX_ESOD_CSHELL_AUTOUPDATE
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 65
[SmartLog]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 65
[R7540CMP]
No hotfixes..
[R76CMP]
No hotfixes..
[SFWR77CMP]
HOTFIX_R81_20_JHF_COMP Take: 65
[SFWR80CMP]
HOTFIX_R81_20_JHF_COMP Take: 65
[SFWR81CMP]
HOTFIX_R81_20_JHF_COMP Take: 65
[R77CMP]
No hotfixes..
[R8040CMP]
HOTFIX_R81_20_JHF_COMP Take: 65
[core_uploader]
HOTFIX_CHARON_HF
[cpsdc_wrapper]
HOTFIX_CPSDC_AUTOUPDATE
[hcp_wrapper]
HOTFIX_HCP_AUTOUPDATE
[sho_wrapper]
HOTFIX_DANA_AUTOUPDATE
[infinity_onprem_wrapper]
HOTFIX_TUNNEL_AUTOUPDATE
[MGMTAPI]
No hotfixes..
[CPotelcol]
HOTFIX_OTLP_GA
[CPviewExporter]
HOTFIX_OTLP_GA
[CPDepInst]
No hotfixes..
[itp_wrapper]
HOTFIX_GOT_MGMT_AUTOUPDATE
[CPotlpAgent]
HOTFIX_OTLP_GA
[CPquid]
HOTFIX_QUID_AUTOUPDATE
[diff_report_wrapper]
HOTFIX_MINMUS_AUTOUPDATE
HOTFIX_KERBIN_AUTOUPDATE

[Expert@CP-TEST:0]# ps -auxw | grep vpnf
admin 17668 0.0 0.0 2648 568 pts/2 S+ 21:44 0:00 grep --color=auto vpnf
[Expert@CP-TEST:0]#

 

 

0 Kudos
PhoneBoy
Admin
Admin

R81.20 Take 65 includes the fix for CVE-2024-24919, thus the result is correct.

the_rock
Legend
Legend

Fair enough.

0 Kudos
Tomer_Noy
Employee
Employee

Just to clarify, the originally released HF fixed the CVE vulnerability for the Remote Access portal.

After releasing that HF, we found that cccd process was not patched, therefore instructed people to deactivate cccd if their configuration allows potential use of the vulnerability (and we include that statement in the script output). Remember that cccd is off-by-default, but we wanted to be extra careful in case someone activated it manually.

The JHFs that we recently released include a fix / patch for cccd as well. That's why when using JHFs it's no longer important to deactivate cccd and we don't warn that it's vulnerable in the script.

(1)
the_rock
Legend
Legend

K, excellent, thanks for the explanation @Tomer_Noy 👍

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events