Attacks

Check Point VPN Vulnerability Advisory

Table of Contents

The latest announced VPN vulnerability is typical of the risks associated with VPNs. While VPNs are essential for secure remote access, they often harbor exploitable weaknesses that can undermine perimeter defenses. Such vulnerabilities allow attackers to infiltrate networks, access sensitive data, and compromise overall security. Organizations must remain vigilant, employing comprehensive security measures to detect and address threats affecting networks swiftly.

Vulnerability Background

On May 27th, Check Point Software Technologies (Check Point) published a blog post detailing security best practices in response to observed attempts to exploit vulnerabilities in VPN solutions from various vendors. Notably, they underscored that certain attempts focused on local accounts utilizing password-only authentication. On May 28th, Check Point updated its post, disclosing a new vulnerability (CVE-2024-24919) that affects Security Gateways with IPsec VPN in Remote Access VPN and stressing the critical importance of implementing mitigation measures promptly.

Initially, the vendor did not provide specifics regarding the CVE-2024-24919 vulnerability, and it was not assigned a risk score on CVE. However, researchers from Watchtowr, upon reviewing available information from the “hotfix” managed to discern the alterations and extract some conclusions. Their findings indicated that this vulnerability is critical, enabling relatively straightforward techniques such as path disclosure, and potentially allowing attackers to access sensitive files like the shadow file. Eventually, the vulnerability was assigned a CVSS risk score of 8.6, indicating a very serious vulnerability.

How the Vulnerability Is Exploited

Several PoC codes exploit this vulnerability with a simple POST request, allowing the attacker to gain access to the VPN system’s “passwd”, “shadow” and other important files using a Full Path Disclosure vulnerability, thereby creating persistence on the victim’s network.

According to Shodan, at least 20,000 indexed devices could be potentially vulnerable to this type of attack.

Immediate Action Items

  1. Install a mandatory Security Gateway Hotfix to prevent the exploitation of CVE-2024-24919 (https://support.checkpoint.com/results/sk/sk182336).
  2. Ensure all security solutions are fully deployed and up-to-date across your entire organization and your customers’ networks.
  3. Proactively hunt for indicators of compromise (IOCs) that attackers might have left behind during the vulnerability window.
  4. Continuously monitor your network for suspicious activity that might indicate an adversary’s presence within your network or your customers’ networks.
  5. Configure MFA as a regular policy for all VPN connections.
  6. As a precaution, change all credentials associated with users present on the device.

Vulnerability Check Tool

The Lumu Threat Intelligence team has developed a script that can detect vulnerable instances of Checkpoint VPNs. To request access to the tool, simply send a message to support@lumu.io.

Recent Posts

  • Blog

Lumu & the MSP Community: 2024 in Review

Reading Time: 4 minsLumu has worked hand-in-hand with MSPs throughout a year that consolidated the…

4 days ago
  • Blog

Reflecting on 2024: Lumu’s Innovations in SecOps

Reading Time: 5 minsLumu’s 2024 SecOps advancements focus on automation and smarter threat detection, with…

6 days ago
  • Attacks

Lumu’s Detection & Response to a Real-World DNS Tunneling Attack

Reading Time: 7 minsThis is the story of a serious DNS tunneling attack on a…

1 week ago
  • Events

Cybersecurity Insights for MSPs: Lessons from IT Nation Connect 2024

Reading Time: 4 minsDiscover the top insights from Lumu’s pre-conference workshop at IT Nation Connect,…

4 weeks ago
  • Stories

Cybersecurity Trends 2025 and Beyond: Navigating AI-Driven Evasion Techniques and Autonomous Threats for Resilient Defense

Reading Time: 2 minsAs we move into 2025, AI-driven evasion and autonomous threats will redefine…

1 month ago
  • Trends

CISA Reveals How 12 Ransomware Gangs are Bypassing EDRs

Reading Time: 7 minsEndpoint Detection and Response (EDR) has a critical role in most companies’…

2 months ago