On May 27, 2024, Check Point released hot fixes for an information disclosure vulnerability being leveraged by threat actors to target Check Point VPNs. This vulnerability was labeled as CVE-2024-24919 and is rated as high severity, as a remote threat actor can exploit the vulnerability to access information on Gateways connected to the Internet, with IPSec VPN, Remote Access VPN or Mobile Access enabled.
Check Point identified a small number of login attempts in customer environments using old VPN local-accounts utilizing password-only authentication method, which is not recommended. Check Point is currently working with customers that were affected to remediate the vulnerability and encourages customers to reach out to their Check Point Representative for any questions.
Gateway vulnerabilities that can lead to information disclosure are enticing targets for threat actors, such as the Citrix Bleed vulnerability (CVE-2023-4966), which was exploited towards the end of 2023. This vulnerability was leveraged by various threat actors to target multiple industries, and highlights the potential widespread impact of these vulnerabilities.
CVE-2024-24919 for CVE-2024-24919
Recommendation #1: Apply Hotfixes
Arctic Wolf strongly recommends applying the applicable hotfix for your Quantum Gateway. Please follow your organization’s patching and testing guidelines to avoid any operational impact.
Product | Affected Version | Hotfix |
Quantum Security Gateway and CloudGuard Network Security Versions |
|
|
Quantum Maestro and Quantum Scalable Chassis |
|
|
Quantum Spark Gateways Version |
|
|
If any additional assistance is required, Check Point encourages users to contact Check Point technical support Center or your local Check Point representative.
Recommendation #2: Implement Additional Security Hardening Measures
Check Point recommends implementing additional security measures to harden Gateways. This includes things such as:
- Changing the password of the Security Gateway’s account in Active Directory
- Identifying local accounts with password only authentication
- Preventing local accounts from connecting to VPN with password authentication
For detailed step by step guidance, please refer to the “Important Extra Measures” Section in their SecureKnowledge Article.