Update 31.05.2024: Added clarification on severity of the vulnerability, recommendations and mitigations. A Proof of Concept (POC) to exploit the vulnerability is now publicly available. CVSS score has been increased from 7.5 to 8.6. Updated Check Point support links.
A critical vulnerability has been discovered in Check Point Security Gateways with Remote Access VPN enabled, also referred to as the “Mobile Access” blade. The vulnerability also applies to instances where Check Point Mobile Secure Workspace with Capsule is used.
The vulnerability is considered critical because it allows unauthorised actors to extract information from gateways connected to the Internet.
mnemonic has observed attempts of exploitation in customer environments since April 30, 2024.
Background: CVE-2024-24919
Late in the evening on May 28, 2024, mnemonic was contacted by Check Point Norway, urging us to patch all customers with Remote Access VPN and Mobile Access enabled.
The vulnerability in question impacts all Check Point gateways with the Mobile Access blade enabled, including Capsule Workspace. It has been assigned a CVSS v3.1 base score of 8.6 (HIGH).
The vulnerability allows a threat actor to enumerate and extract password hashes for all local accounts, including the account used to connect to Active Directory. The full extent of the consequences is still unknown. However, it is known that password hashes of legacy local users with password-only authentication can be extracted, including service accounts used to connect to Active Directory. Weak passwords can be compromised, leading to further misuse and potential lateral movement within the network.
Update 31.05.2024: It is now proven that the vulnerability allows a threat actor to retrieve all files on the local filesystem. This includes password hashes for all local accounts, SSH keys, certificates and other critical files. Threat actors can gain full shell access on vulnerable systems with relative ease.
Threat Intelligence assessment
Check Point Software Technologies and mnemonic have observed attempts of exploiting this vulnerability.
mnemonic has several observations of this exploit being used in the wild and is currently investigating activity related to the use of this vulnerability. The vulnerability is particularly critical because it does not require any user interaction or privileges, making it easy to exploit remotely.
We have observed threat actors extracting ntds.dit from compromised customers within 2-3 hours after logging in with a local user. mnemonic links this vulnerability to the activity described in our blog about the misuse of Visual Studio Code for traffic tunneling. CVE-2024-24919 was in that case used to extract user information which the threat actor then used to move laterally in the network.
Update 31.05.2024: A POC to exploit the vulnerability is now publicly available.
Affected systems
The vulnerability is not tied to specific software versions. Remediations and fixes will need to be implemented in the form of a hotfix released after the vulnerability’s announcement.
Gateways using only Site-to-Site IPSEC VPN are not affected.
Recommendations
Update 31.05.2024: Additional recommendations and mitigations added in italics.
All gateways with Mobile Access blade active (or formerly active) should be treated as vulnerable.
Organisations using Check Point Capsule Workspace are also vulnerable due to the Mobile Access blade being used by the Capsule solution.
To mitigate the risks associated with CVE-2024-24919, organisations are advised to:
- Immediately update the affected systems to the patched version. For more information, see this article written by Check Point
- Remove any local users on the gateway
- Rotate passwords / accounts for LDAP-connections from gateway to Active Directory
- Renew the server certificates for inbound HTTPD inspection on gateway
- Renew the certificate for outbound HTTPS inspection on the security gateway
- Reset Gaia OS passwords for all local users
- Regenerate the SSH local user certificate on the security gateway
- Do post-patch searches in logs (as documented in this Check Point article) for signs of compromise / anomalous behavior / logins
- If available, update Check Point IPS signature to detect exploitation attempts
mnemonic also recommends that any login “actions” with “password” as the authentication type in the “blade” “Mobile Access” is cross-checked with legitimate activity. For this purpose, Check Point recommends to use the following query in SmartConsole: action:”Log In” AND auth_method:Password AND blade:”Mobile Access”
Check Point has released several IPS rules to detect exploit activity, but it requires that the vulnerable Remote Access gateway is behind a Security Gateway and that the IDS/IPS blade is enabled. If you have IDS or other network sensor in front of the Remote Access gateway, one could look for the following URI path: https://IP/clients/MyCRL being used as a way to detect exploitation attempts.
Update 31.05.2024: As described in watchTowr’s breakdown of the vulnerability, if you have an IDS or other network sensor in front of the Remote Access gateway that is able to provide insight into HTTP POST requests, you can look for POST requests to the following URI path: https://IP/clients/MyCRL where the POST request contains the path CSHELL . For example: