Emergency Patch Released by Check Point for VPN Zero-Day Exploited in Recent Attacks

May 29, 2024

Check Point has launched hotfixes for a VPN zero-day vulnerability that has been exploited in attacks with the goal of remotely accessing firewalls and potentially breaching corporate networks. The company initially warned about a surge in attacks targeting VPN devices and provided advice on how administrators can safeguard their devices. Subsequently, it identified the root cause: a zero-day flaw that threat actors were exploiting against its clientele. This flaw, identified as CVE-2024-24919, is a high-severity information disclosure vulnerability that allows attackers to access specific information on internet-exposed Check Point Security Gateways with remote Access VPN or Mobile Access Software Blades enabled.

The vulnerability potentially allows an attacker to read certain information on Internet-connected Gateways with remote access VPN or mobile access enabled. The attempts we've seen so far, as previously alerted on May 27, focus on remote access scenarios with old local accounts with unrecommended password-only authentication.

The flaw, CVE-2024-24929, impacts CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark Appliances, in the product versions: R80.20.x, R80.20SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, and R81.20. In response, Check Point has rolled out security updates to mitigate the flaw. These updates can be installed by navigating to the Security Gateway portal, selecting 'Software Updates', then 'Available Updates', followed by 'Hotfix Updates', and finally clicking 'Install.' The company estimates that the update process should take approximately 10 minutes, and a system reboot is necessary.

Once the hotfix is installed, attempts to login using weak credentials and authentication methods will be automatically blocked, and a log will be generated. Hotfixes have also been made available for end-of-life (EOL) versions, but these must be manually downloaded and applied. Check Point has published a FAQ page with additional information about CVE-2024-24919, IPS signature, and manual hotfix installation instructions.

For those unable to apply the update, Check Point recommends enhancing their security posture by updating the Active Directory (AD) password that the Security Gateway uses for authentication. Moreover, Check Point has developed a remote access validation script that can be uploaded onto 'SmartConsole' and executed to review the results and take appropriate actions. More information on updating the AD password and using the 'VPNcheck.sh' script are provided in Check Point's security bulletin.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.