Update 31.05.2024: Added clarification on severity of the vulnerability, recommendations and mitigations. A Proof of Concept (POC) to exploit the vulnerability is now publicly available. CVSS score has been increased from 7.5 to 8.6. Updated Check Point support links.

 

A critical vulnerability has been discovered in Check Point Security Gateways with Remote Access VPN enabled, also referred to as the "Mobile Access" blade. The vulnerability also applies to instances where Check Point Mobile Secure Workspace with Capsule is used.

The vulnerability is considered critical because it allows unauthorised actors to extract information from gateways connected to the Internet.

mnemonic has observed attempts of exploitation in customer environments since April 30, 2024.

Background: CVE-2024-24919

Late in the evening on May 28, 2024, mnemonic was contacted by Check Point Norway, urging us to patch all customers with Remote Access VPN and Mobile Access enabled.

The vulnerability in question impacts all Check Point gateways with the Mobile Access blade enabled, including Capsule Workspace. It has been assigned a CVSS v3.1 base score of 8.6 (HIGH).

The vulnerability allows a threat actor to enumerate and extract password hashes for all local accounts, including the account used to connect to Active Directory. The full extent of the consequences is still unknown. However, it is known that password hashes of legacy local users with password-only authentication can be extracted, including service accounts used to connect to Active Directory. Weak passwords can be compromised, leading to further misuse and potential lateral movement within the network.

Update 31.05.2024: It is now proven that the vulnerability allows a threat actor to retrieve all files on the local filesystem. This includes password hashes for all local accounts, SSH keys, certificates and other critical files. Threat actors can gain full shell access on vulnerable systems with relative ease.

Threat Intelligence assessment

Check Point Software Technologies and mnemonic have observed attempts of exploiting this vulnerability.

mnemonic has several observations of this exploit being used in the wild and is currently investigating activity related to the use of this vulnerability. The vulnerability is particularly critical because it does not require any user interaction or privileges, making it easy to exploit remotely.

We have observed threat actors extracting ntds.dit from compromised customers within 2-3 hours after logging in with a local user. mnemonic links this vulnerability to the activity described in our blog about the misuse of Visual Studio Code for traffic tunneling. CVE-2024-24919 was in that case used to extract user information which the threat actor then used to move laterally in the network.

Update 31.05.2024: A POC to exploit the vulnerability is now publicly available.

Affected systems

The vulnerability is not tied to specific software versions. Remediations and fixes will need to be implemented in the form of a hotfix released after the vulnerability's announcement.

Gateways using only Site-to-Site IPSEC VPN are not affected.

Recommendations

Update 31.05.2024: Additional recommendations and mitigations added in italics.

All gateways with Mobile Access blade active (or formerly active) should be treated as vulnerable.

Organisations using Check Point Capsule Workspace are also vulnerable due to the Mobile Access blade being used by the Capsule solution.

To mitigate the risks associated with CVE-2024-24919, organisations are advised to:

  • Immediately update the affected systems to the patched version. For more information, see this article written by Check Point
  • Remove any local users on the gateway
  • Rotate passwords / accounts for LDAP-connections from gateway to Active Directory
  • Renew the server certificates for inbound HTTPD inspection on gateway
  • Renew the certificate for outbound HTTPS inspection on the security gateway
  • Reset Gaia OS passwords for all local users
  • Regenerate the SSH local user certificate on the security gateway
  • Do post-patch searches in logs (as documented in this Check Point article) for signs of compromise / anomalous behavior / logins
  • If available, update Check Point IPS signature to detect exploitation attempts

mnemonic also recommends that any login "actions" with "password" as the authentication type in the "blade" "Mobile Access" is cross-checked with legitimate activity. For this purpose, Check Point recommends to use the following query in SmartConsole: action:"Log In" AND auth_method:Password AND blade:"Mobile Access"

Check Point has released several IPS rules to detect exploit activity, but it requires that the vulnerable Remote Access gateway is behind a Security Gateway and that the IDS/IPS blade is enabled. If you have IDS or other network sensor in front of the Remote Access gateway, one could look for the following URI path: https://IP/clients/MyCRL being used as a way to detect exploitation attempts.

Update 31.05.2024: As described in watchTowr's breakdown of the vulnerability, if you have an IDS or other network sensor in front of the Remote Access gateway that is able to provide insight into HTTP POST requests, you can look for POST requests to the following URI path: https://IP/clients/MyCRL where the POST request contains the path CSHELL . For example:

POST /clients/MyCRL HTTP/1.1

Host: 

Content-Length: 39

 

aCSHELL/../../../../../../../etc/shadow

In the example above, the vulnerability is used to extract the /etc/shadow file on the system, but all requests containing CSHELL/.. should be regarded as an exploitation attempt.

Detection coverage for Argus MDR customers

For Argus MDR customers, mnemonic has initiated the following actions:

  • mnemonic is currently reviewing log data for signs of brute force or newly created / used local users
  • Signatures that detect all logins with the use of static passwords have been deployed
  • IOCs which were earlier involved in compromising customers with similar tech stacks are given extra attention
  • The Signature Development Team is currently investigating the possibility to create precise detections
  • Retroactive searches in available data are performed for customers known to be using vulnerable Check Point products

Actions taken for Argus Security Operations (ASO) customers

For mnemonic ASO customers, mnemonic has initiated the following actions:

  • mnemonic is checking all customer deployments for any usage of Mobile Access blade and local users
  • Customer appliances for mnemonic ASO Premium and ASO Standard customers have been patched according to contract terms
  • mnemonic NOC is performing additional hunting for indicators of compromise post-patching
  • mnemonic NOC is notifying all customers with Mobile Access licenses from mnemonic, offering advice and assistance in handling

IOCs

The following IOCs have been observed in customer environments between April 30, 2024, and today (May 29, 2024):

  • Reconnaissance IP: 82.180.133[.]120
  • Exploitation IP: 87.120.8[.]173
  • Exploitation IP: 23.227.203[.]36
  • Exploitation IP: 203.160.68[.]12

Update 31.05.2024: Check Point has published a list of suspect IP addresses.