CVE-2024-24919 Scanner - Check Point VPN Vulnerability
This free vulnerability scanner checks if your target is affected by CVE-2024-24919. Unauthenticated attackers can exploit this high-risk security issue remotely to read arbitrary files stored on the affected Check Point VPN server.
If you’d like to detect other vulnerabilities, this free tool is part of the premium version of our Network Vulnerability Scanner, whose Deep Scan option identifies over 11.000 CVEs. For full access to it and other 20+ tools, check out our pricing plans.
Network Vulnerability ScannerThis free vulnerability scanner checks if your target is affected by CVE-2024-24919. Unauthenticated attackers can exploit this high-risk security issue remotely to read arbitrary files stored on the affected Check Point VPN server.
CVE-2024-24919 (Check Point Quantum Security Gateway Vulnerability) technical details
According to the Check Point advisory, CVE-2024-24919 is an Information Disclosure vulnerability. This enables an unauthenticated remote attacker to read the contents of any file on the affected device and extract sensitive information.
For instance, an attacker can access the /etc/shadow
file, revealing password hashes for local accounts, or access the SSH private keys.
By cracking these password hashes, and if the Security Gateway allows password-only authentication, the attacker can potentially authenticate using the cracked passwords.
How we detect CVE-2024-24919
Our Network Vulnerability Scanner sends the following request:
POST /clients/MyCRL HTTP/1.1
Host: <target>
aCSHELL/../../../../../../../etc/shadow
If the content of /etc/shadow
is returned, the target is vulnerable.
Products affected by CVE-2024-24919
This Check Point remote access vulnerability impacts the following products:
- Quantum Maestro
- Quantum Scalable Chassis
- Quantum Security Gateways
- Quantum Spark Appliances
According to the vendor advisory, the vulnerability applies in the following situations:
- The IPsec VPN Blade is enabled, but ONLY when included in the Remote Access VPN community.
- The Mobile Access Software Blade is enabled.
CVE-2024-24919 timeline
May 28, 2024 - The Check Point advisory is published, with the latest security update shared on June 10, 2024.
May 29, 2024 - mnemonic published a blog article stating that this vulnerability started as a zero-day and, with exploitation attempts tracked back to April 30, 2024. More than a month ago, threat actors were already extracting /etc/shadow
file and disclosing password hashes.
May 30, 2024 - watchTowr discloses the PoC for this Check Point Security Gateway information disclosure issue in this blog article.
May 31, 2024 - detection of CVE-2024-24919 is added to the Network Vulnerability Scanner on Pentest-Tools.com.
CVE-2024-24919 severity
CVE-2024-24919 has a high severity CVSSv3 score of 8.6 and it is included in CISA’s Known Exploited Vulnerabilities.
Exploitation of CVE-2024-24919
This vulnerability is easy to exploit and highly critical because it doesn’t require user interaction or special privileges.
Threat actors can read any file on the server, including password hashes for local accounts, service accounts used for connecting to Active Directory, or the database file (ntds.dit) of Microsoft ADDS.
Sensitive files an attacker could extract:
/etc/shadow
/etc/passwd
/home/admin/.ssh/id_rsa
/root/.ssh/id_rsa
/etc/hosts
/etc/resolv.conf
/etc/fstab
/sysimg/CPwrapper/SU/Products.conf
/config/db/initial
/opt/checkpoint/conf/
/etc/ssh/sshd_config
/etc/vpn/vpn.conf
CVE-2024-24919 references
- https://pentest-tools.com/vulnerabilities-exploits/check-point-quantum-gateway-information-disclosure_22692
- https://support.checkpoint.com/results/sk/sk182336
- https://www.mnemonic.io/resources/blog/advisory-check-point-remote-access-vpn-vulnerability-cve-2024-24919/
- https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/
About our Network Vulnerability Scanner
Our Network Vulnerability Scanner is a well-rounded tool for all your network security assessments.
It combines multiple engines and fine-tuned (customizable) scan settings which surface over 20.000 critical vulnerabilities, misconfigurations, and outdated services.
Each scan automatically updates your attack surface and provides an up-to-date map for planning targeted attacks or strategic lateral movements.
Explore a sample report which includes a vulnerability summary, automatically confirmed findings, evidence, and more.
See what else it can doFAQ
What is Check Point Security Gateway?
Check Point Security Gateway is a series of advanced network security appliances designed to provide comprehensive threat prevention and high performance for enterprise networks. It is designed to provide robust and adaptable security solutions to protect against a wide range of cyber threats while maintaining high performance and reliability for enterprise networks.
CVE-2024-24919 impact
Since this device is an SSLVPN/Firewall appliance, this type of device is exposed to the Internet, making it an attractive target.
Based on this X post, multiple organizations, including banks and IT companies, are impacted by this VPN vulnerability.
CVE-2024-24919 versions affected
- R77.20 (EOL)
- R77.30 (EOL)
- R80.10 (EOL)
- R80.20 (EOL)
- R80.20.x
- R80.20SP (EOL)
- R80.30 (EOL)
- R80.30SP (EOL)
- R80.40 (EOL)
- R81
- R81.10
- R81.10.x
- R81.20
Gateways that use only Site-to-Site IPSEC VPN are not impacted.
CVE-2024-24919 mitigation
The vendor recommends applying a hotfix to mitigate this vulnerability.