Threat Research

CVE-2024-24919: Check Point Security Gateway Information Disclosure

Rapid7

Two sentences summarize the CVE-2024-24919 vulnerability in Check Point Security Gateway, its in-the-wild abuse, and the recommended mitigations. #CVE-2024-24919 #CheckPointSecurityGateway #NTDSdit #ActiveDirectory #IPSecVPN #RemoteAccessVPN #Rapid7 #mnemonic #watchTowr

Keypoints

  • The advisory covers a high-severity information disclosure vulnerability (CVE-2024-24919) affecting Check Point Security Gateway devices with IPSec VPN or Mobile Access blades.
  • In-the-wild exploitation has been observed since April 30, 2024, enabling threat actors to enumerate and extract password hashes for local accounts, including AD-connected accounts.
  • Adversaries have been seen moving laterally and extracting the ntds.dit file from compromised Active Directory servers within hours of initial access.
  • The vulnerability allows unauthenticated remote attackers to read contents of arbitrary files on the affected appliance (e.g., /etc/shadow), potentially enabling hash cracking and unauthorized access.
  • Vendor hotfixes have been released for multiple Check Point products; administrators should apply them immediately and investigate for signs of compromise.
  • Mitigation guidance includes disabling unused local accounts, adopting certificate-based authentication, and following the vendor’s remote-access authentication recommendations.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The vulnerability allowed an unauthenticated remote attacker to read the contents of an arbitrary file located on the affected appliance. ‘The vulnerability allows an unauthenticated remote attacker to read the contents of an arbitrary file located on the affected appliance.’
  • [T1087] Account Discovery – Adversaries enumerate local accounts to identify credentials. ‘enumerate and extract password hashes for all local accounts’
  • [T1003.003] Credential Dumping – NTDS – ‘They’ve observed adversaries moving laterally and extracting the “ntds.dit” file from compromised customers’ Active Directory servers.’
  • [T1021] Remote Services – Adversaries move laterally across the network to access other systems, including AD servers. ‘adversaries moving laterally and extracting the “ntds.dit” file from compromised customers’ Active Directory servers.’

Indicators of Compromise

  • [IP Address] login events originating from an internal address – 192.168.181.1 (e.g., admin web login, SSH login from 192.168.181.1)
  • [File Name] sensitive credential data exposed – /etc/shadow, ntds.dit
  • [Log File] system and audit logs showing access events – /var/log/messages, /var/log/audit/audit.log

Read more: https://blog.rapid7.com/2024/05/30/etr-cve-2024-24919-check-point-security-gateway-information-disclosure/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint