Urgent Check Point Warning: Zero-Day Vulnerability in VPN Gateway Products Exploited in the Wild
Vulnerability in VPN Gateway Products

Zika 🕔September 12, 2024 at 5:50 AM
Technology

Vulnerability in VPN Gateway Products

Description : A severe zero-day vulnerability has been detected in Check Point’s Network Security gateway products, affecting CloudGuard Network, Quantum Maestro, and Quantum Spark appliances. Exploited in the wild, this flaw poses significant risks. Get the latest on updates, patches, and how to protect your network.


United States - In a critical development for cybersecurity professionals, Check Point has sounded the alarm over a zero-day vulnerability that has been actively exploited in the wild. This flaw, tracked as CVE-2024-24919, impacts multiple Check Point Network Security gateway products including CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances.

With a CVSS score of 8.6, this high-severity issue allows threat actors to read sensitive information on internet-connected gateways with remote access VPN or mobile access enabled, posing a grave threat to enterprise networks.

Hotfixes are now available to mitigate the threat in the affected product versions, but the urgency remains high as exploitation has already been detected in the wild.

Read More:

What Is CVE-2024-24919?

A Critical Vulnerability in Check Point's VPN Products

The CVE-2024-24919 zero-day vulnerability is a critical flaw in Check Point's VPN gateway products. The vulnerability potentially allows attackers to access sensitive information from gateways connected to the internet.

Specifically, attackers can exploit this flaw to enumerate and extract password hashes for all local accounts, including those used to connect to Active Directory.

Once inside, malicious actors can compromise weak passwords, which can lead to lateral movement within the network, further deepening the security risk.

According to Check Point, the vulnerability is particularly dangerous in products with IPSec VPN, Remote Access VPN, and the Mobile Access software blade.

These gateways are often deployed at the perimeter of enterprise networks, making them attractive targets for hackers looking to infiltrate an organization’s network from the outside.

Affected Products and Available Hotfixes

Hotfixes for the zero-day vulnerability are now available for the following versions of Check Point's products:

  • Quantum Security Gateway and CloudGuard Network Security Versions: R81.20, R81.10, R81, R80.40
  • Quantum Maestro and Quantum Scalable Chassis: R81.20, R81.10, R80.40, R80.30SP, R80.20SP
  • Quantum Spark Gateways Version: R81.10.x, R80.20.x, R77.20.x

These hotfixes are essential to neutralize the ongoing threats and protect enterprise assets from further exploitation.

The Evolution of the Attack: First Exploitation Detected in April 2024

In an advisory published on Wednesday, Norwegian cybersecurity firm mnemonic detailed its observations of exploitation attempts targeting CVE-2024-24919 as early as April 30, 2024.

According to mnemonic, this vulnerability is critical because it enables unauthorized actors to extract information from gateways that are connected to the internet.

What makes this flaw even more dangerous is its triviality to exploit. No user interaction or privileged access is required to exploit the vulnerability, which dramatically increases the risk to affected devices.

Furthermore, mnemonic noted that the vulnerability allows for the extraction of Active Directory data (NTDS.dit) in just a few hours after an attacker gains access through a compromised local account.

Once inside, the attacker can move laterally within the network and misuse extensions in development environments like Visual Studio Code to tunnel network traffic, evading detection.

This rapid execution of attack chains, in which threat actors have been seen to infiltrate networks in less than three hours, underscores the need for immediate action from affected organizations.

Increasing Threat of Cyber Espionage

The exploitation of CVE-2024-24919 has raised significant concerns in the cybersecurity community. While initial exploitation efforts seem to have been focused on a small number of customers, evidence suggests that the flaw is being leveraged for cyber espionage.

Attackers are using the vulnerability to gain unauthorized access to enterprise networks, potentially to extract valuable data and information that could be used for further attacks or sold to third parties.

The targeting of VPN devices and network perimeter applications is not unique to Check Point products. Similar attacks have been observed against devices from other leading vendors such as Barracuda Networks, Cisco, Fortinet, Ivanti, Palo Alto Networks, and VMware.

Interested:

Threat Intelligence Reveals Growing Scope of Attacks

According to Censys, an attack surface management firm, there are currently over 13,802 internet-facing devices vulnerable to CVE-2024-24919 as of May 31, 2024.

This represents a massive attack surface for threat actors, and with more devices coming online every day, the risk is only set to grow.

More alarmingly, further research by watchTowr Labs has revealed that the vulnerability in question is not just an information disclosure flaw, as initially described by Check Point, but a path traversal vulnerability.

This flaw allows attackers to break out of the current directory and read arbitrary files, including sensitive files like /etc/shadow, which contains password hashes.

Is CVE-2024-24919 Worse Than Initially Thought?

The security community is urging Check Point customers to take immediate action. Security researcher Aliz Hammond raised concerns that Check Point may have downplayed the severity of this bug in its initial advisory.

“Since the bug is already being used in the wild, by real attackers, it seems dangerous for the bug to be treated as anything less than a full unauthenticated remote code execution (RCE) vulnerability," Hammond said. "Administrators need to update their systems as soon as humanly possible."

Protecting Your Network from the Zero-Day Threat

As of now, the recommended course of action for Check Point customers is to immediately apply the available hotfixes for all affected devices. Given that the vulnerability is already being actively exploited, delaying these updates could result in further compromise.

In addition to applying the hotfixes, it is crucial to ensure that VPN devices are configured securely. Check Point advises that legacy local accounts relying on password-only authentication should be updated to more secure authentication methods, such as multi-factor authentication (MFA).

The Path Forward: A Race Against Exploitation

With exploitation attempts ramping up, organizations using Check Point products must remain vigilant and proactive in protecting their networks.

While Check Point has responded quickly by releasing hotfixes and advisories, the fact that this vulnerability has already been exploited underscores the persistent and growing threat of zero-day attacks.

Organizations are encouraged to stay updated on any new developments from Check Point and to ensure that their devices are regularly patched and properly configured.

Zero-Day Threats Are Here to Stay

The CVE-2024-24919 zero-day vulnerability is a sobering reminder of the ever-present risks that come with modern cybersecurity.

As attackers continue to evolve and find new ways to exploit vulnerabilities in network security products, organizations must be prepared to act quickly and decisively to protect their assets.

In the case of Check Point’s Network Security gateway products, the need for urgency cannot be overstated. With exploitation already occurring in the wild, applying the necessary hotfixes and securing VPN devices is essential to preventing further attacks.

This incident also highlights the need for ongoing vigilance in managing network perimeter security and ensuring that all devices, not just those facing the internet, are adequately protected against the latest threats.

As cyberattacks become increasingly sophisticated, so too must our defenses.

Stay informed, stay protected, and ensure that your network is secured against this latest zero-day threat.

Don't Miss:


Editor's Choice

Jasa Backlink Murah

Also find us at

Follow us on Facebook, Twitter, Instagram, Youtube and get the latest information from us there.