UPDATE - Check Point Software released an emergency fix this week for a vulnerability in its VPN gateway products, warning customers that threat actors are actively exploiting the flaw.
The flaw (CVE-2024-24919), which ranks 7.5 out of 10 on the CVSS 3.0 severity scale, could enable attackers to read certain information on the gateways if they are connected to the internet and enabled with Remote Access VPN or Mobile Access. Several Check Point products are impacted, including CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways and Quantum Spark Appliances (versions R80.20.x, R81, R81.10, R81.10.x and R81.20, as well as end-of-life versions R80.20SP and R80.40).
The attacks were first observed by Check Point on May 24, and in an update on Tuesday, Check Point said that a “small number” of known customers are impacted. On Wednesday, security firm mnemonic said that it had observed attempts of exploitation of the flaw in customer environments since April 30.
“The attempts we’ve seen so far, as previously alerted on May 27, focus on remote access scenarios with old local accounts with unrecommended password-only authentication,” according to Check Point’s advisory, initially released on Monday with the latest update on Tuesday. “Within a few hours of this development, Check Point released an easy to implement solution that prevents attempts to exploit this vulnerability.”
Check Point urged customers to deploy the available hot fixes, and check whether they have local VPN accounts and if they have been used. If the local accounts are in use, customers should add another layer of authentication beyond the use of passwords, such as certificates, to increase security, according to Check Point. If local accounts aren’t in use, customers should disable them.
“Password-only authentication is considered an unfavourable method to ensure the highest levels of security, and we recommend not to rely on this when logging-in to network infrastructure,” according to Check Point’s advisory.
In an analysis of the patch on Thursday, Aliz Hammond, researcher with WatchTowr, said that a comparison of the vulnerable and patched systems revealed the issue to be an arbitrary file read, which is a flaw that could enable attackers to read any file on the system and is "more powerful than the vendor advisory seems to imply."
"That bug wasn't too difficult to find, and was extremely easy to exploit once we’d located it," said Hammond in a Thursday analysis. "We’re a little concerned by the vendor’s statement, though - it seems to downplay the severity of this bug. Since the bug is already being used in the wild, by real attackers, it seems dangerous for the bug to be treated as anything less than a full unauthenticated RCE, with device administrators urged to update as soon as humanely possible."
Threat actors have been exploiting VPN vulnerabilities over the past few months. For instance, in January attackers widely targeted bugs in Ivanti’s Connect Secure VPN and Ivanti Policy Secure appliances. On the heels of these types of attacks, Check Point in its advisory said that it had been monitoring attempts to gain unauthorized access to VPNs for its customers.
“Over the past few months, we have observed increased interest of malicious groups in leveraging remote-access VPN environments as an entry point and attack vector into enterprises,” according to Check Point in its advisory. “Attackers are motivated to gain access to organizations over remote-access setups so they can try to discover relevant enterprise assets and users, seeking for vulnerabilities in order to gain persistence on key enterprise assets.”
This article was updated May 30 with further details of the bug from WatchTowr security researchers.