ClickCease Check Point Warning: VPN Gateway Products’ Zero-Day Attack

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Check Point Warning: VPN Gateway Products’ Zero-Day Attack

Wajahat Raja

June 13, 2024 - TuxCare expert team

Check Point has issued an alert regarding a critical zero-day vulnerability identified in its Network Security gateway products. As per the Check Point warning This vulnerability, tracked as CVE-2024-24919 with a CVSS score of 8.6, has been actively exploited by threat actors in the wild. The affected products include CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances.

 

Details of Check Point Product Vulnerabilities


According to the Check Point warning, the vulnerability allows attackers to read specific information from Internet-connected Gateways that have remote access VPN or mobile access enabled. The company has released hotfixes for several versions of its products to address this issue. The patched versions include:

 

  • Quantum Security Gateway and CloudGuard Network Security Versions: R81.20, R81.10, R81, R80.40
  • Quantum Maestro and Quantum Scalable Chassis Versions: R81.20, R81.10, R80.40, R80.30SP, R80.20SP
  • Quantum Spark Gateways Versions: R81.10.x, R80.20.x, R77.20.x


Background of the Exploitation


As per the Check Point warning, the vulnerability has been exploited since at least April 30, 2024. Check Point first detected a small number of login attempts using outdated VPN local accounts that relied on password-only authentication methods. This activity has now been traced back to the newly discovered zero-day vulnerability. Check Point’s Security Gateways with IPSec VPN, Remote Access VPN, and the Mobile Access software blade are particularly affected.

The Check Point warning noted that the supply chain cyberattacks so far have targeted remote access on old local accounts with weak password-only authentication. Although the company has not provided detailed information on the nature of the attacks, it emphasized the importance of addressing this vulnerability promptly.


Widespread Impact on VPN Devices


The targeting of VPN devices is part of a broader trend of attacks on network perimeter applications. Similar incidents have impacted devices from Barracuda Networks, Cisco, Fortinet, Ivanti, Palo Alto Networks, and VMware in recent years. Attackers are increasingly motivated to breach remote-access setups to gain access to enterprise assets and exploit VPN gateway vulnerabilities to maintain persistence within networks.


Check Point Warning – Advisory and Observations from Security Firms


In an advisory published on June 5, 2024, cybersecurity firm mnemonic highlighted the critical nature of CVE-2024-24919. The firm has observed exploitation attempts targeting its customer environments since April 30, 2024. According to mnemonic, the vulnerability allows unauthorized actors to extract information from internet-connected gateways, including password hashes for all local accounts.

This vulnerability is particularly concerning because it does not require user interaction or privileges to exploit. The extracted password hashes, especially those from legacy local users with weak passwords, can be compromised, enabling attackers to move laterally within networks. Mnemonic noted that attackers have used this vulnerability to extract Active Directory data (NTDS.dit) within 2-3 hours of logging in with a local user.


Urgent Need for Protecting VPN Gateways


Censys, an attack surface management firm, reported that as of May 31, 2024, there were 13,802 internet hosts exposing either a CloudGuard instance, Quantum Security, or Quantum Spark gateway. Although Check Point described CVE-2024-24919 exploit as an information disclosure vulnerability, further analysis by watchTowr Labs revealed it as a path traversal flaw. This flaw allows attackers to read arbitrary files, including sensitive ones like “/etc/shadow.”

 

Security researcher Aliz Hammond warned that Check Point’s initial statement might downplay the severity of this bug. With public proof-of-concept exploits available and real-world attacks occurring, Hammond stressed the importance of treating this as a severe unauthenticated remote code execution (RCE) vulnerability. Device administrators are urged to apply the patches immediately.


Zero-day Attack Mitigation


Check Point warning stated that the first exploitation attempts were detected on April 7, 2024. The company is continuing its investigation and recommends immediate patching Check Point gateways to mitigate the growing remote access VPN security risks.


Conclusion


In conclusion, organizations using Check Point’s affected products should prioritize applying the available hotfixes to secure their systems against this critical zero-day vulnerability and protect against VPN attacks. Implementing network security best practices is essential for protecting sensitive data and maintaining the integrity of your IT infrastructure. The swift action will help prevent unauthorized access and potential network breaches.

The sources for this piece include articles in The Hacker News and Security Week.

Summary
Check Point Warning: VPN Gateway Products’ Zero-Day Attack
Article Name
Check Point Warning: VPN Gateway Products’ Zero-Day Attack
Description
Urgent Check Point warning! A zero-day vulnerability in VPN gateway products is being exploited. Learn to protect networks today.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started

Mail

Join

4,500

Linux & Open Source
Professionals!

Subscribe to
our newsletter