Check Point Vulnerability: CVE-2024-24919

June 3, 2024

By Lauren Farrell

On May 28, 2024, Check Point released an advisory for CVE-2024-24919, a high priority bug which according to NIST NVD is categorized as “Exposure of Sensitive Information to an Unauthorized Actor”. The NVD has yet to assess a CVSS score for CVE-2024-24919 as of this writing. This vulnerability affects Check Point Security Gateway devices connected to the internet and configured with either IP-Sec VPN or Mobile Access software blades. When exploited, this vulnerability provides the attacker the ability to enumerate and extract password hashes for local accounts, including Active Directory service accounts, which can lead to lateral movement and complete compromise of targeted networks under the right conditions.  Check Point stated on May 31, 2024, that exploitation attempts have been ongoing since April 7, 2024. They have also observed attackers extracting the ntds.dit file from the Active Directory servers belonging to compromised organizations. The ntds.dit file is a database file that stores active directory data including users, groups, security descriptors and password hashes.  Vulnerable Systems and Circumstances:  According to the vendor advisory, the following products are vulnerable to CVE-2024-24919: 
  • CloudGuard Network 
  • Quantum Maestro 
  • Quantum Scalable Chassis 
  • Quantum Security Gateways 
  • Quantum Spark Appliances 
Check Point has advised that a Security Gateway is vulnerable if one of the following configurations is applied: 
  • If the IPSec VPN blade has been enabled and the Security Gateway device is part of the Remote Access VPN community. 
There are manufacturer provided hotfixes available as outlined in the vendor advisory. Check Point advises that these hotfixes be applied immediately, and environments be evaluated to ensure that other circumstances regarding network security practices do not add to the vulnerability of systems. For example, systems that rely on password-only authentication should switch to certificate-based authentication where possible.  Important extra measures to take: 
  1. Change the password of the LDAP Account Unit 
  2. Reset password of local accounts connecting to Remote Access VPN with password-only authentication 
  3. Prevent Local Accounts from connecting to VPN with Password-Only Authentication 
  4. Renew the server certificates for the Inbound HTTPS Inspection on the Security Gateway 
  5. Renew the certificate for the Outbound HTTPS Inspection on the Security Gateway 
  6. Reset Gaia OS passwords for all local users 
  7. Regenerate the SSH local user certificate on the Security Gateway in the following case: 
  8. Renew the certificate for the SSH Inspection 
Centripetal’s CleanINTERNET® can assist in detecting unauthorized connection attempts and successful logins provided the Check Point products are seated behind a RuleGate device. This, along with actions recommended by the vendor, can avoid a full compromise of network infrastructure due to CVE-2024-24919.  If you are unsure if your devices are vulnerable, you can run the following command directed at your Check Point Firewall IP to find out:   curl -d "aCSHELL/../../../../../../../etc/passwd" -k -X POST https://<YOUR CHECKPOINT FIREWALL IP HERE>/clients/MyCRL   If you are currently running one of the affected products, please contact support@centripetal.ai.   Centripetal is pleased to offer Penetration Testing and Vulnerability Assessment services to help organizations identify vulnerabilities and reduce risk. If interested, please contact our Professional Services team at profservs@centripetal.ai or reach out to your Centripetal Account Representative.   Resources: 

Know what’s coming. 
Stop what’s next.

Sign up for our free threat alert bulletin service here.

Centripetal is committed to protecting and respecting your privacy, by submitting this form, you are providing Centripetal with your personal data. For more information on how we use your personal data and the choices you have, please review Centripetal's Privacy Policy. 

The Cybercrime Barrier Your Organization Deserves

Sign up for a custom demonstration from our security team of how we bring together the best minds and most complete collection of threat intelligence to provide you with a shocking level of relief. 

Get A Demo