CVE-2024-24919: Critical Information Disclosure in Check Point Gateways
- [01] Attackers are exploiting a high-severity information disclosure vulnerability to gain unauthorized access to sensitive files on Check Point Security Gateways.
- [02] Check Point Quantum Security Gateways with Remote Access VPN or Mobile Access enabled are vulnerable to arbitrary file read.
- [03] Organizations must apply the vendor-provided hotfix immediately and reset credentials for any potentially compromised accounts or local users.
Technical Analysis of the Check Point Quantum Gateway Exposure
According to the SANS Internet Storm Center, a high-severity CVE tracked as CVE-2024-24919 has become a primary target for sophisticated threat actors. This vulnerability is an information disclosure flaw that allows an unauthenticated remote attacker to read sensitive files on affected Check Point Security Gateways. Unlike a traditional RCE, this vulnerability does not immediately execute code but instead facilitates the extraction of system-critical data, which can lead to full system compromise.
The flaw resides in how the gateway handles specific web requests when either the “Remote Access VPN” or “Mobile Access” software blades are enabled. Attackers leverage a crafted HTTP POST request to bypass intended access controls and traverse the internal file system. This allows for the retrieval of files such as /etc/shadow, which contains the hashed passwords of local system accounts. Given the CVSS score of 8.6, the lack of authentication makes this a particularly dangerous entry point for Privilege Escalation and eventual Lateral Movement within the corporate network.
Strategies to Detect CVE-2024-24919 Exploit Attempts
Identifying unauthorized access requires a diligent SOC and robust logging at the network perimeter. Understanding how to detect CVE-2024-24919 exploit activity involves monitoring web server logs for specific directory traversal sequences. Analysts should look for POST requests targeting the gateway’s portal paths that contain unexpected characters or attempts to reach sensitive directories like /etc/ or /config/.
This activity often aligns with several MITRE ATT&CK techniques, notably T1190 (Exploit Public-Facing Application). Because this vulnerability was initially exploited as a Zero-Day, security teams should retroactively search their SIEM for any anomalous outbound traffic originating from the gateway or unusual local account logins. Since traditional EDR tools do not typically run on these hardened network appliances, the primary evidence of compromise will exist in the gateway’s internal IoC logs and management server audit trails.
Applying the Check Point Quantum Gateway Security Update
Check Point has released emergency hotfixes for various versions of their software, including Quantum Maestro, Quantum Scalable Chassis, and Quantum Spark Gateways. Applying the Check Point Quantum Gateway security update is the mandatory first step for all administrators. It is important to note that merely disabling the vulnerable portal blades provides only temporary mitigation and does not remove the underlying vulnerability from the firmware.
To effectively remediate CVE-2024-24919 vulnerability risks, patching must be followed by a comprehensive credential rotation policy. If an attacker has successfully accessed the shadow file, they may have already begun cracking password hashes offline. Security teams must reset all local account passwords and inspect the /etc/passwd and /etc/shadow files for any newly created, unauthorized local users. Furthermore, any SSH keys or API tokens stored on the appliance should be considered compromised and rotated immediately to prevent persistent access by the adversary.
Advertisement