A critical vulnerability CVE-2024-24919 affects Check Point gateways with the Mobile Access blade, enabling unauthorized remote access to extract credentials, files, and potentially take full control of internet-connected gateways. Exploitation has been observed in the wild since April 2024, prompting urgent patching, mitigations, and ongoing investigations. #CVE-2024-24919 #CheckPoint #MobileAccess #CapsuleWorkspace
Keypoints
- Affected systems include all gateways with the Mobile Access blade enabled, including Capsule Workspace installations.
- The CVSS v3.1 base score is 8.6 (HIGH), reflecting high risk and ease of remote exploitation.
- Threat actors can enumerate and extract password hashes for all local accounts, including accounts used to connect to Active Directory.
- Updates show attackers can retrieve all files on the local filesystem, including SSH keys, certificates, and other critical data.
- Exploitation does not require user interaction, enabling remote compromise with relative ease and potential lateral movement.
- Live exploitation has been observed since April 2024, with a public PoC and multiple advisories prompting mitigations and post-patch monitoring.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The vulnerability is on internet-facing Check Point Remote Access VPN gateways, enabling remote exploitation. Quote: (‘The vulnerability is critical because it allows unauthorised actors to extract information from gateways connected to the Internet.’)
- [T1003] OS Credential Dumping – Attackers enumerate and extract password hashes for all local accounts, including the AD-connect account. Quote: (‘The vulnerability allows a threat actor to enumerate and extract password hashes for all local accounts, including the account used to connect to Active Directory.’)
- [T1005] Data from Local System – Attacker can retrieve all files on the local filesystem, including password hashes, SSH keys, certificates and other critical files. Quote: (‘This includes password hashes for all local accounts, SSH keys, certificates and other critical files.’)
- [T1021.004] Remote Services – SSH – Threat actors can gain full shell access on vulnerable systems with relative ease, implying use of remote services for initial access and lateral movement. Quote: (‘Threat actors can gain full shell access on vulnerable systems with relative ease.’)
Indicators of Compromise
- [URL] exploitation/exfiltration indicators – https://IP/clients/MyCRL and related POST activity to the same path (e.g., POST requests containing CSHELL) for detection
- [File] critical data files – ntds.dit, SSH keys, certificates and other local files – example: ntds.dit, SSH keys
- [Hash] credential hashes – password hashes for local accounts (including AD-connected accounts)