Check Point has issued an alert regarding a critical zero-day vulnerability identified in its Network Security gateway products. As per the Check Point warning This vulnerability, tracked as CVE-2024-24919 with a CVSS score of 8.6, has been actively exploited by threat actors in the wild. The affected products include CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances.
According to the Check Point warning, the vulnerability allows attackers to read specific information from Internet-connected Gateways that have remote access VPN or mobile access enabled. The company has released hotfixes for several versions of its products to address this issue. The patched versions include:
As per the Check Point warning, the vulnerability has been exploited since at least April 30, 2024. Check Point first detected a small number of login attempts using outdated VPN local accounts that relied on password-only authentication methods. This activity has now been traced back to the newly discovered zero-day vulnerability. Check Point’s Security Gateways with IPSec VPN, Remote Access VPN, and the Mobile Access software blade are particularly affected.
The Check Point warning noted that the supply chain cyberattacks so far have targeted remote access on old local accounts with weak password-only authentication. Although the company has not provided detailed information on the nature of the attacks, it emphasized the importance of addressing this vulnerability promptly.
The targeting of VPN devices is part of a broader trend of attacks on network perimeter applications. Similar incidents have impacted devices from Barracuda Networks, Cisco, Fortinet, Ivanti, Palo Alto Networks, and VMware in recent years. Attackers are increasingly motivated to breach remote-access setups to gain access to enterprise assets and exploit VPN gateway vulnerabilities to maintain persistence within networks.
In an advisory published on June 5, 2024, cybersecurity firm mnemonic highlighted the critical nature of CVE-2024-24919. The firm has observed exploitation attempts targeting its customer environments since April 30, 2024. According to mnemonic, the vulnerability allows unauthorized actors to extract information from internet-connected gateways, including password hashes for all local accounts.
This vulnerability is particularly concerning because it does not require user interaction or privileges to exploit. The extracted password hashes, especially those from legacy local users with weak passwords, can be compromised, enabling attackers to move laterally within networks. Mnemonic noted that attackers have used this vulnerability to extract Active Directory data (NTDS.dit) within 2-3 hours of logging in with a local user.
Censys, an attack surface management firm, reported that as of May 31, 2024, there were 13,802 internet hosts exposing either a CloudGuard instance, Quantum Security, or Quantum Spark gateway. Although Check Point described CVE-2024-24919 exploit as an information disclosure vulnerability, further analysis by watchTowr Labs revealed it as a path traversal flaw. This flaw allows attackers to read arbitrary files, including sensitive ones like “/etc/shadow.”
Security researcher Aliz Hammond warned that Check Point’s initial statement might downplay the severity of this bug. With public proof-of-concept exploits available and real-world attacks occurring, Hammond stressed the importance of treating this as a severe unauthenticated remote code execution (RCE) vulnerability. Device administrators are urged to apply the patches immediately.
Check Point warning stated that the first exploitation attempts were detected on April 7, 2024. The company is continuing its investigation and recommends immediate patching Check Point gateways to mitigate the growing remote access VPN security risks.
In conclusion, organizations using Check Point’s affected products should prioritize applying the available hotfixes to secure their systems against this critical zero-day vulnerability and protect against VPN attacks. Implementing network security best practices is essential for protecting sensitive data and maintaining the integrity of your IT infrastructure. The swift action will help prevent unauthorized access and potential network breaches.
The sources for this piece include articles in The Hacker News and Security Week.
The post Check Point Warning: VPN Gateway Products’ Zero-Day Attack appeared first on TuxCare.
*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/check-point-warning-vpn-gateway-products-zero-day-attack/