CVE-2024-24919
Checkpoint Arbitrary File Read

Le Lab Gatewatcher D

Introduction

 

Remote    
Authenticated   
Default config 
 
Source  🌍 

Affected Products 

  • CloudGuard Network 
  • Quantum Maestro 
  • Quantum Scalable Chassis 
  • Quantum Security Gateways 
  • Quantum Spark Appliances 

 

Affected Versions

  • R77.20 (EOL)  
  • R77.30 (EOL)  
  • R80.10 (EOL) 
  • R80.20 (EOL)  
  • R80.20.x 
  • R80.20SP (EOL) 
  • R80.30 (EOL) 
  • R80.30SP (EOL) 
  • R80.40 (EOL) 
  • R81 
  • R81.10 
  • R81.10.x 
  • R81.20 

Details

As of May 26, 2024, Check Point reported a growing number of exploitation attempts targeting remote access solutions like VPNs, with a particular focus on some of the company’s solutions that had been compromised. According to the supplier’s statement, these compromised solutions were vulnerable due to the use of outdated local accounts with non-recommended password-based authentication.

However, since then, little information has been shared about the nature of this vulnerability, including its impact or origin.

On May 30, Watchtowr, a company known in recent months for analyzing security appliance vulnerabilities, published a comparative analysis. This analysis helps to understand the scope of a successful attack and provides guidance for detecting such incidents.

Detection

The content reveals that the endpoint used is /clients/MyCRL. Even more concerning, this endpoint allows a file name to be specified for download (either via the URL or through a POST request).

The rest of the analysis details the protections implemented by the vendor, as well as a potential workaround that led to this vulnerability. Although the list of downloadable files is typically defined within a set list, the use of the strstr function means that in reality, the presence of just one of these character strings is enough to bypass this protection. The remainder of the attack is essentially a classic Path Traversal.

Currently, the Aioniq solution can detect the initial compromise through the following rule:

 

2053031 ET WEB_SPECIFIC_APPS Checkpoint Quantum Security Gateway Arbitrary File Read Attempt (CVE-2024-24919)

 

Correction

The vendor has already released a patch for this vulnerability. For versions that are end-of-life, the vendor encourages users to update their equipment and apply the hotfix. If this is not possible, users should disable remote and mobile access.

As highlighted by Watchtowr in their analysis, the consequences of a successful exploitation of this vulnerability are far more significant than the description suggests.