A Vulnerability in Check Point Security Gateways Could Allow for Credential Access

A vulnerability has been discovered in Check Point Security Gateway Products that could allow for credential access. A Check Point Security Gateway sits between an organization’s environment and the Internet to enforce policy and block threats and malware. Successful exploitation of this vulnerability could allow for credential access to local accounts due to an arbitrary file read vulnerability. Other sensitive files such as SSH keys and certificates may also be read. Depending on the privileges associated with the accounts, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Local accounts that are configured to have fewer rights on the system could be less impacted than those that operate with administrative rights.

Check Point is aware that an exploit for CVE-2024-24919 exists in the wild and is being actively exploited. Additionally, the cybersecurity organization mnemonic has reported observing threat actors extracting ntds.dit, a store of Active Directory hashes on a Domain Controller, from compromised customers within 2-3 hours after logging in with a local user.

TECHNICAL SUMMARY:
A vulnerability has been discovered in Check Point Security Gateway Products that could allow for credential access. The vulnerability affects Security Gateway products making use of the IPsec VPN or Mobile Access. Exploiting this vulnerability can result in accessing arbitrary files on the system including /etc/shadow which contains password hashes for local accounts on the Security Gateway. The hashes can be cracked and allow for the attacker to authenticate as those users, allowing for lateral movement and the potential to gain domain admin privileges. Details of the vulnerability are as follows:
Tactic: Credential Access (TA0006):
Technique: Exploitation for Credential Access (T1212):

• Arbitrary file read vulnerability (CVE-2024-24919)
  Successful exploitation of this vulnerability could allow for credential access to local accounts due to an arbitrary file read vulnerability. Other sensitive files such as SSH keys and certificates may also be read. Depending on the privileges associated with the accounts, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Local accounts that are configured to have fewer rights on the system could be less impacted than those that operate with administrative rights.

We recommend the following actions be taken:

• Apply the updates provided by Check Point to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  o Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  o Safeguard 7.2 : Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
  o Safeguard 7.6 : Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
  o Safeguard 7.7 : Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  o Safeguard 16.13 Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
  o Safeguard 18.1 : Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
  o Safeguard 18.2 : Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
  o Safeguard 18.3 : Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
• Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
• Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.