Check Point VPN Vulnerability

Fortra is investigating a vulnerability in the Check Point VPN – CVE-2024-24919. This information disclosure vulnerability could allow an attacker to access sensitive information on internet-exposed Check Point Security Gateways with IPsec VPN in the Remote Access VPN community and the Mobile Access software blade. Security updates are available to mitigate this vulnerability.

Who is affected?

The following versions of Check Point platforms are affected.

• Check Point Quantum Gateway versions R81.20, R81.10, R81, and R80.40
• CloudGuard Network versions R81.20, R81.10, R81, and R80.40
• Check Point Spark versions R81.10 and R80.20

What can I do?

Check Point has released security updates for this vulnerability, which are available on the Security Gateway portal.

For more information about the update, refer to Check Point’s advisory.

The following additional security measures are also recommended:

• Change the password of the LDAP Account Unit
• Reset password of local accounts connecting to VPN with password authentication
• A Tool to identify vulnerable Security Gateways
• Prevent Local Accounts from connecting to VPN with Password Authentication
• Renew Security Gateway's Inbound SSL Inspection server certificates
• Renew Security Gateway's Outbound SSL Inspection CA certificate
• Reset Gaia OS passwords for all local users

How is Fortra helping me?

Fortra is actively researching this threat to build detection capabilities in addition to those listed below.

Alert Logic Vulnerability Scanning: Alert Logic released unauthenticated scan coverage on June 6, 2024, to check for vulnerable hosts. If the vulnerability is found, an exposure (EID: 267763) will be raised for CVE-2024-24919.

Alert Logic WAF: A virtual patch that detects and blocks exploit attempts has been released. The patch is available in the Emerging Threats Virtual Patch Group. Website security profiles configured to use Emerging Threat Virtual Patches will implement the protection automatically.

Core Impact: Core Impact delivered a new module on June 5, 2024, to validate the presence of CVE-2024-24919. This module exploits a directory traversal vulnerability in the /clients/MyCRL endpoint in Check Point Gaia by downloading a file specified in the "FILE PATH" user parameter and saving it locally in the location specified in the "OUTPUT PATH" parameter. 

Fortra VM: Fortra VM released unauthenticated scan coverage on June 6, 2024, via scanner version 4.43.1. If the vulnerability is found, vulnerability 159814 "Check Point Security Gateways Information Disclosure Vulnerability (Critical)" will be raised.  

Tripwire IP360: Tripwire released unauthenticated scan coverage on June 5, 2024, to identify vulnerable instances. If the vulnerability is found, vulnerability 634660 will match for CVE-2024-24919.

Updates

Fortra has kicked off the Emerging Threat process for this vulnerability. This article will be updated with new information about this vulnerability and related Fortra security coverage as it becomes available. 

06/05/2024: Fortra released unauthenticated scan coverage for Tripwire IP360 to check for vulnerable hosts. In addition, Core Impact delivered a new module to validate the presence of CVE-2024-24919. 

06/06/2024: Fortra released unauthenticated scan coverage for Alert Logic and Fortra VM to check for vulnerable hosts.