Vulnerability in Check Point Security Gateways Could Allow Access to Credentials

A vulnerability has been discovered in Check Point Security Gateway products that could allow access to credentials. A Check Point security gateway sits between an organization's environment and the Internet to enforce policy and block threats and malware. Successful exploitation of this vulnerability could allow access to local account credentials due to an arbitrary file read vulnerability. Other sensitive files such as SSH keys and certificates can also be read. Depending on the privileges associated with the accounts, an attacker could then install programs; view, modify or delete data; or create new accounts with full user rights. Local accounts configured to have fewer rights on the system might be less impacted than those operating with administrator rights.

Check Point is aware that an exploit for CVE-2024-24919 exists in the wild and is being actively exploited. Additionally, cybersecurity organization Mnemonic reported observing malicious actors extracting ntds.dit, an Active Directory hash store on a domain controller, from compromised clients within 2 to 3 hours of logging in with a local user.

TECHNICAL SUMMARY:
A vulnerability has been discovered in Check Point Security Gateway products that could allow access to credentials. The vulnerability affects Security Gateway products using IPsec VPN or Mobile Access. Exploitation of this vulnerability can result in access to arbitrary files on the system, including /etc/shadow which contains password hashes for local accounts on Security Gateway. Hashes can be hijacked and allow the attacker to authenticate as users, allowing lateral movement and the ability to gain domain administrator privileges. The details of the vulnerability are as follows:
Tactical: Credential Access (TA0006):
Technical: Exploitation for access to identification information (T1212):

• Arbitrary File Read Vulnerability (CVE-2024-24919)
  Successful exploitation of this vulnerability could allow access to local account credentials due to an arbitrary file read vulnerability. Other sensitive files such as SSH keys and certificates can also be read. Depending on the privileges associated with the accounts, an attacker could then install programs; view, modify or delete data; or create new accounts with full user rights. Local accounts configured to have fewer rights on the system might be less impacted than those operating with administrator rights.

We recommend that the following actions be taken:

• Apply updates provided by Check Point to vulnerable systems immediately after appropriate testing. (M1051: software update)
  o Backup 7.1: Establish and maintain a vulnerability management process: Establish and maintain a documented vulnerability management process for company assets. Review and update documentation annually or when significant changes within the business occur that could impact this protection.
  o Safeguard 7.2: Establish and maintain a remediation process: Establish and maintain a risk-based remediation strategy, documented in a remediation process, with monthly or more frequent reviews.
  o Backup 7.6: Perform automated vulnerability scans of externally exposed enterprise assets: Perform automated vulnerability scans of externally exposed enterprise assets using a vulnerability scanning tool compliant with SCAP. Perform scans on a monthly or more frequent basis.
  o Backup 7.7: Fix detected vulnerabilities: Fix detected vulnerabilities in software through processes and tools on a monthly or more frequent basis, depending on the remediation process.
  o Backup 16.13 Perform application penetration testing: Perform application penetration testing. For mission-critical applications, authenticated penetration testing is better suited to detecting business logic vulnerabilities than code analysis and automated security testing. Penetration testing relies on the tester's ability to manually manipulate an application as an authenticated and unauthenticated user.
  o Safeguard 18.1: Establish and maintain a penetration testing program: Establish and maintain a penetration testing program appropriate to the size, complexity and maturity of the business. Penetration testing program characteristics include scope, such as network, web application, application programming interface (API), hosted services, and physical premises controls; frequency; limitations, such as acceptable hours and excluded types of attacks; contact details; corrective actions, such as how results will be communicated internally; and retrospective requirements.
  o Safeguard 18.2: Perform periodic external penetration testing: Perform periodic external penetration testing based on program requirements, at least annually. External penetration testing should include reconnaissance of the business and environment to detect actionable information. Penetration testing requires specialist skills and experience and should be carried out by a qualified party. The test can be performed in a transparent box or an opaque box.
  o Backup 18.3: Remediate Penetration Test Results: Remediate penetration test results based on company policy for scope and prioritization of remedial actions.
• Apply the principle of least privilege to all systems and services. Run all software as an unprivileged user (without administrative privileges) to lessen the effects of a successful attack. (M1026: Management of privileged accounts)
• Backup 4.7: Manage default accounts on enterprise assets and software: Manage default accounts on enterprise assets and software, such as root, administrator, and other preconfigured vendor accounts. Example implementations may include: disabling default accounts or rendering them unusable.
• Backup 5.4: Restrict admin privileges to dedicated admin accounts: Restrict admin privileges to dedicated admin accounts on company assets. Conduct general computing activities, such as browsing the Internet, emailing, and using the Productivity Suite, from the user's primary, non-privileged account.