Exploiting CVE-2024–24919: Information Disclosure in Check Point Quantum Gateway

Introduction

In the rapidly evolving landscape of cybersecurity, vulnerabilities are discovered that can have far-reaching implications for organizations. One such vulnerability is CVE-2024–24919, an information disclosure flaw in Check Point Quantum Gateway. This vulnerability, identified by the researcher johnk3r, poses a significant risk by potentially allowing attackers to access sensitive information on internet-connected Gateways configured with IPSec VPN, remote access VPN, or mobile access software blade.

Understanding CVE-2024–24919

CVE-2024–24919 is classified as a high-severity vulnerability due to its potential impact on affected systems. This vulnerability can be exploited to disclose information that should otherwise be protected, potentially leading to further compromise of the affected systems.

Technical Details

The vulnerability resides in the Check Point Quantum Security Gateway, particularly when configured with certain VPN features. An attacker can craft a specific HTTP POST request to the /clients/MyCRL endpoint. By manipulating the request, the attacker can navigate the file system and access restricted files such as /etc/shadow, which contains hashed passwords of system users.

The specific HTTP request that can trigger this vulnerability is as follows:

POST /clients/MyCRL HTTP/1.1
Host: {{Hostname}}

aCSHELL/../../../../../../../etc/shadow

If successful, the response will contain contents from the /etc/shadow file, indicated by the presence of entries such as root: and nobody: in the body of the response, along with a 200 OK status.

this is the query for search — https://nt.ls/MqxNV

Mitigation and Recommendations

Organizations using Check Point Quantum Security Gateway are urged to review their configurations and apply patches or updates provided by Check Point. According to Check Point’s advisory, steps to mitigate this vulnerability include:

1. Updating Firmware: Ensure that the firmware is updated to the latest version, which includes patches for known vulnerabilities.
2. Configuring Security Policies: Review and tighten security policies to restrict unauthorized access.
3. Monitoring and Alerts: Implement monitoring and alerting mechanisms to detect unusual activities that might indicate an exploitation attempt.

For more detailed guidance, refer to the official advisories from Check Point:

• Check Point Wrong Check Point: CVE-2024–24919
• Check Point Support Advisory SK182337

Conclusion

CVE-2024–24919 highlights the critical importance of maintaining up-to-date security practices and the need for vigilant monitoring of network devices. By understanding and addressing such vulnerabilities, organizations can better protect their sensitive information and maintain robust cybersecurity defenses.

For security professionals, keeping abreast of such vulnerabilities and their mitigations is crucial. Ensure your systems are secure, monitor for signs of exploitation, and respond swiftly to protect your organization’s assets.

By addressing CVE-2024-24919 promptly and effectively, organizations can mitigate the risks associated with this vulnerability and safeguard their information from potential attackers.