Exploit activity against a recent information disclosure flaw in Check Point’s VPN technology has significantly increased in recent days, underscoring the urgent need for organizations to address the vulnerability promptly.
The vulnerability, identified as CVE-2024-24919, impacts software in various versions of Check Point’s CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances. All of these products are Check Point security gateways with IPsec VPN functionality.
Check Point has issued a warning about the vulnerability, stating that attackers can exploit it to access sensitive information within the security gateways. In some cases, this access could enable them to move laterally on a compromised network and acquire domain admin privileges. The security vendor disclosed the vulnerability on May 28, along with providing a hotfix to address it, following reports of active exploitation attempts. Check Point has identified the exploitation activity as having commenced in early April, nearly two months before the disclosure.
According to a report released this week by Internet traffic scanning firm Greynoise, there has been a notable surge in exploitation attempts targeting CVE-2024-24919 since May 31. This increase in activity coincided with the availability of a proof-of-concept for the flaw. Initial attempts to exploit the vulnerability began from a Taiwan-based IP address a day earlier, but those attempts were unsuccessful.
Subsequently, a real exploit attempt originating from a New York-based IP address was identified by Greynoise on June 5. By that date, Greynoise detected as many as 782 IPs from various locations around the world targeting the vulnerability. It is recommended to patch Check Point as soon as possible to mitigate the risk associated with this flaw.
A recent Censys scan discovered approximately 13,754 Internet-exposed systems running at least one of the three software products affected by CVE-2024-24919. These systems included Check Point Quantum Spark gateway devices, Quantum Security Gateways, and Check Point CloudGuard appliances. A significant number of the exposed hosts were located in Japan, with other countries like Italy, the US, and Israel also having a notable concentration of exposed Check Point appliances. Alarmingly, at the time of the scan, less than 2% of the Internet-exposed Check Point Quantum Spark gateways had implemented a patched version of the affected software.
WatchTowr researchers who analyzed the Check Point flaw categorized it as easy to find and extremely easy to exploit. Check Point has assigned the vulnerability a severity rating of 8.6 out of 10 on the CVSS scale, noting that exploits targeting it involve low complexity, require no user interaction, and do not necessitate special user privileges.
The US Cybersecurity and Information Security Agency (CISA) has added CVE-2024-24919 to its catalog of known exploited vulnerabilities. Federal civilian executive branch agencies are required to apply Check Point’s recommended mitigations for the flaw or discontinue the use of affected products until the issue is resolved by June 20. CISA, along with other organizations like the FBI and the NSA, have repeatedly warned about the high risk that vulnerabilities in VPNs and other secure access technologies pose to organizations due to the prevailing trend of cyber attackers exploiting these weaknesses in recent years.
Check Point has advised affected organizations to install its latest Jumbo Hotfix Accumulators to address the security vulnerability. If immediate deployment of the Jumbo Hotfix Accumulator is not feasible, organizations should install the security hotfix for CVE-2024-24919. This is particularly crucial for organizations with affected security gateway configurations where the IPsec VPN Software Blade feature is enabled as part of the Remote Access VPN Community, or when the Mobile Access Software Blade feature is enabled.
Despite the critical nature of this vulnerability and its active exploitation in the wild, Censys highlighted a couple of mitigating factors. The vulnerability only impacts gateways with specific configurations, and successful exploitation does not automatically result in full device compromise; additional prerequisites, such as the presence of exposed password files on the local filesystem, must be met for complete device compromise.
In light of the escalating exploitation attempts targeting Check Point VPNs, organizations must take immediate action to address the vulnerability and apply necessary patches to safeguard their systems and sensitive information from malicious actors.