Attacks Surge on Check Point’s Recent VPN Zero-Day Flaw

Summary: Exploit activity targeting a recent information disclosure flaw in Check Point’s VPN technology has increased, emphasizing the need for organizations to address the vulnerability immediately.

Threat Actor: Unknown | Unknown
Victim: Organizations using Check Point’s VPN technology | Organizations using Check Point’s VPN technology

Key Point :

  • Check Point’s VPN technology has a vulnerability, identified as CVE-2024-24919, which allows attackers to access sensitive information and potentially gain domain admin privileges.
  • The exploit activity targeting this vulnerability has been ongoing since early April, highlighting the urgency for organizations to apply the provided hotfix.

Exploit activity targeting a recent information disclosure flaw in Check Point’s VPN technology has soared in recent days, heightening the need for organizations to address the flaw immediately.

The vulnerability, identified as CVE-2024-24919, affects software in multiple versions of Check Point’s CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances. All the affected products are Check Point security gateways with IPsec VPN functionality.

Dangerous Vulnerability

Check Point has warned of the vulnerability allowing attackers to access sensitive information in the security gateways that, in some instances, could allow them to move laterally on a compromised network and gain domain admin privileges. The security vendor disclosed the vulnerability May 28 — along with a hotfix for it — amid reports of active exploitation attempts. Check Point has identified the exploitation activity as having started in early April, nearly two months before disclosure.

In a report released this week, Internet traffic scanning firm Greynoise said it had detected rapidly increasing exploitation attempts targeting CVE-2024-24919 since May 31, or shortly after a proof-of-concept for the flaw became publicly available. According to Greynoise, initial attempts to target the vulnerability actually began a day earlier from a Taiwan-based IP address, but those involved a non-working exploit.

Large-Scale Exploitation Attempts

The first real exploit attempt originated from a New York-based IP address. By June 5, Greynoise detected as many as 782 IPs from around the world targeting the vulnerability. “With a public proof of concept out, and exploitation quickly ramping up, we recommend patching Check Point as soon as possible,” Greynoise advised.

A Censys scan earlier this week identified some 13,754 Internet-exposed systems running at least one of the three software products that Check Point has identified as affected by CVE-2024-24919. Some 12,100 of the exposed hosts were Check Point Quantum Spark gateway devices, about 1,500 were Quantum Security Gateways and some 137 were Check Point CloudGuard appliances. More than 6,000 of the Internet-exposed hosts were located in Japan. Other countries with a relatively high concentration of exposed Check Point appliances included Italy (1,012), the US (917), and Israel (845).

At the time of Censys’ scan, less than 2% of the Internet-exposed Check Point Quantum Spark gateways appeared to be running a patched version of the affected software.

Easy to Find and Exploit

Researchers at WatchTowr who analyzed the Check Point flaw have described it as not too difficult to find and “extremely easy to exploit.” Check Point has assigned the flaw a severity rating of 8.6 out of 10 on the CVSS scale and described exploits targeting it as involving low complexity, no user interaction, and no special user privileges.

The US Cybersecurity and Information Security Agency (CISA) has added CVE-2024-24919 to its catalog of known exploited vulnerabilities. All federal civilian executive branch agencies have until June 20 to either apply Check Point’s recommended mitigations for the flaw or to discontinue use of the affected products until they have fixed it. In the past, CISA and other organizations such as the FBI and the NSA have repeatedly warned about vulnerabilities in VPNs and other secure access technologies as presenting a high risk to organizations because of the extent to which attackers have targeted these flaws in recent years.

Check Point has recommended that affected organizations install its latest Jumbo Hotfix Accumulators to address the security vulnerability. Organizations that cannot immediately deploy the Jumbo Hotfix Accumulator — basically a package that contains fixes for multiple issues in multiple products — should install the security hotfix for CVE-2024-24919, Check Point noted.

Organizations should install the hotfix on any affected security gateway and cluster where the IPSec VPN Software Blade feature is enabled as part of the Remote Access VPN Community, or when the Mobile Access Software Blade feature is enabled, according to the security vendor.

“This is a critical vulnerability that’s being actively exploited in the wild,” Censys warned. However, there are a couple of mitigating factors as well, the company noted. For one thing, the vulnerability only affects gateways with certain configurations. Also, “successful exploitation does not necessarily mean full device compromise; other circumstances need to be in place, like the presence of exposed password files on your device’s local filesystem.”

Source: https://www.darkreading.com/cyberattacks-data-breaches/attacks-surge-on-check-points-recent-vpn-zero-day-flaw


“An interesting youtube video that may be related to the article above”