An exposed path traversal vulnerability in Check Point Security Gateways (CVE-2024-24919) can read arbitrary files, including /etc/shadow, when Remote Access VPN or Mobile Access blades are enabled. SonicWall Capture Labs notes a public PoC and urges immediate patching via Check Point advisory. #CVE-2024-24919 #CheckPointSecurityGateways #SonicWallCaptureLabs
Keypoints
- CVE-2024-24919 is a path traversal information disclosure bug in Check Point Security Gateways, enabling arbitrary reads.
- Attack surface requires Remote Access VPN or Mobile Access Software Blades to be enabled.
- The flaw is exploitable via manipulated POST requests to /clients/MyCRL containing the string “CSHELL/” and path traversal sequences like “../”.
- Successful exploitation can dump sensitive files such as /etc/shadow, exposing hashed credentials.
- Exploitation is demonstrated over the WAN (Internet-accessible interface) with a publicly available PoC.
- SonicWall IPS signatures (e.g., 4440) and a hotfix advisory from Check Point are available; patching is recommended immediately.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Attacker exploits a vulnerability in a public-facing gateway endpoint by sending crafted POST requests containing CSHELL/ and path traversal sequences like ../ (quoted: “The flaw is a path traversal bug… can be exploited via manipulated POST requests containing the string ‘CSHELL/’ somewhere in the request. Due to the use of the ‘strstr’ function without proper sanitizing and validation of user input, an attacker can leverage path traversal sequences like ‘../’ within the POST request.”).
- [T1003] OS Credential Dumping – Attacker dumps the gateway’s “/etc/shadow” file to obtain the system’s hashed credentials (quoted: “dumping the gateway’s “/etc/shadow” file to obtain the system’s hashed credentials”).
- [T1133] External Remote Services – Demonstrates exploitation over the WAN interface, showing it is accessible over the Internet (quoted: “Note that this is being done against the WAN interface, showing that it is accessible over the Internet.”).
- [T1059.006] Command and Scripting Interpreter – PoC shows the attack can be performed in Python (quoted: “This can be done in Python, as shown in the publicly available PoC”).
Indicators of Compromise
- [URL] /clients/MyCRL – exploitation endpoint used in the attack; context: path traversal via POST requests
- [URL] https://github.com/LucasKatashi/CVE-2024-24919/blob/main/CVE-2024-24919.py – publicly available PoC demonstrating the technique
- [File] /etc/shadow – sensitive system file containing password hashes; context: hashed credentials exfiltration potential