CVE-2024-24919: 
Checkpoint CloudGuard Network Security vulnerability analysis and mitigation

CVE-2024-24919 is a high-severity information disclosure vulnerability affecting Check Point Security Gateway devices configured with either the "IPSec VPN" or "Mobile Access" software blade. The vulnerability was first discovered with exploitation attempts beginning on April 7, 2024, and was officially disclosed by Check Point on May 28, 2024. The affected products include CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark Appliances (Rapid7 Blog).

The vulnerability is a path traversal issue that allows an unauthenticated remote attacker to read the contents of arbitrary files located on the affected appliance. The vulnerability has been assigned a CVSS v3.1 base score of 8.6 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N. The exploitation involves sending a specially crafted POST request to the /clients/MyCRL endpoint, which can be used to traverse the filesystem and read sensitive files (GreyNoise Blog).

The vulnerability allows attackers to access sensitive information on the Security Gateway, including password hashes from the /etc/shadow file and other sensitive system files. In certain scenarios, this access can potentially lead to lateral movement and domain admin privileges. Attackers can potentially crack the password hashes for local accounts, and if the Security Gateway allows password-only authentication, they may use the cracked passwords to authenticate (Rapid7 Blog).

Check Point has released hotfixes for affected products. Organizations should immediately apply the vendor-provided hotfixes and manually confirm that the CCCD feature is disabled on every patched Check Point device. The command 'vpn cccd status' should be executed in "Expert Mode" on appliances to confirm CCCD is disabled. Additionally, Check Point recommends checking for local account usage, disabling unused local accounts, and implementing certificate-based authentication rather than password-only authentication (Rapid7 Blog).

The security community has responded rapidly to this vulnerability, with multiple security firms publishing detailed analyses and proof-of-concept demonstrations. On May 30, 2024, watchTowr labs published a detailed technical analysis including a working proof of concept. Censys reported that approximately 14,000 devices are running vulnerable versions of the software, though the exact number of exposed management ports is unclear (GreyNoise Blog).