TR-86 - Check Point VPN Information Disclosure (CVE-2024-24919) - Actively Exploited

TR-86 - Check Point VPN Information Disclosure (CVE-2024-24919) - Actively Exploited

Back to Publications and Presentations

  1. Vulnerable Version And Products
  2. Fixes
  3. Detection and investigative assessment
  4. Known affected software in Luxembourg
  5. References
  6. Classification of this document
  7. Revision

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

A critical information disclosure vulnerability (CVE-2024-24919) exists in Check Point VPN. Successful exploitation of this vulnerability allows a remote attacker to obtain sensitive information, including key materials, user credentials, and configuration files from the operating system.

Vulnerable Version And Products

  • Check Point Quantum Gateway and CloudGuard Network versions R81.20, R81.10, R81, R80.40.
  • Check Point Spark versions R81.10, R80.20.
  • CloudGuard Network
  • Quantum Maestro
  • Quantum Scalable Chassis
  • Quantum Security Gateways
  • Quantum Spark Appliances

Fixes

Check point published Preventative Hotfix for CVE-2024-24919 - Quantum Gateway Information Disclosure which includes the details about the hotfix to prevent the exploitation of the vulnerability.

The document also includes important extra measures to reset the sensitive information from an exposed device. We strongly recommend to apply those extra measures especially for publicly exposed VPN services.

Check Point mentions a script to check for local users with password-only authentication, but the vulnerability can affect much more than just the credentials. Therefore, we strongly recommend not only relying on information from the vendors but also from organizations evaluating the vulnerability.

Detection and investigative assessment

  • Review any suspicious access and audit log.

Known affected software in Luxembourg

A significant number of vulnerable devices were discovered in Luxembourg, and notifications have been sent to the ISPs and available contact points.

Due to the simplicity of exploitation, threat actors may have already collected various credentials and could conduct additional actions in the coming weeks.

References

Classification of this document

TLP:CLEAR information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.0 - TLP:CLEAR - First version - 31st May 2024