最后更新于2024年6月3日星期一20:55:35 GMT

2024年5月28日，Check Point发布了一份 advisory for CVE-2024-24919, a high-severity information disclosure vulnerability affecting Check Point Security Gateway devices configured with either the “IPSec VPN” or “Mobile Access” software blade.

2024年5月29日，安全公司助记术发布了一份 blog reporting that they have observed in-the-wild exploitation of CVE-2024-24919 since April 30, 2024, with threat actors leveraging the vulnerability to enumerate and extract password hashes for all local accounts, 包括用于连接到Active Directory的帐户. They’ve also observed adversaries moving laterally and extracting the “ntds.dit "文件从受感染客户的Active Directory服务器, within hours of an initial attack against a vulnerable Check Point Gateway.

2024年5月30日，《ladbrokes立博中文版》发布 技术细节 包含PoC的CVE-2024-24919.

2024年5月31日，检查点更新了他们的 advisory to state that further analysis has revealed that the first exploitation attempts actually began on April 7, 2024, 而不是之前认为的4月30日.

The vulnerability allows an unauthenticated remote attacker to read the contents of an arbitrary file located on the affected appliance. For example, this allows an attacker to read the appliances /etc/shadow file, 公开本地帐户的密码哈希值. The attacker is not limited to reading this file and may read other files that contain sensitive information. An attacker may be able to crack the password hashes for these local accounts, and if the Security Gateway allows password only authentication, 攻击者可能会使用破解后的密码进行身份验证.

缓解指导

根据 vendor advisory，以下产品易受CVE-2024-24919攻击:

• CloudGuard网络
• 量子大师
• 量子可扩展机箱
• 量子安全网关
• 量子火花电器
  

检查点有 advised that a Security Gateway is vulnerable if one of the following configuration is applied:

• If the “IPSec VPN” blade has been enabled and the Security Gateway device is part of the “Remote Access” VPN community.
• 如果“移动接入”刀片已启用.
  

检查点有 热补丁发布 量子安全网关, 量子大师, 量子可扩展机箱, 和量子火花电器. We advise customers to refer to the Check Point advisory for the most current information on affected versions and hotfixes.

Notably, 供应商建议现在调用非默认的“CCCD”功能, stating “Customers who use CCCD must disable this functionality for the Hotfix to be effective.” All organizations should manually confirm that the CCCD feature is disabled on every patched Check Point device. 根据供应商的建议，命令 vpn cccd status should be executed in “Expert Mode” on appliances to confirm that CCCD is disabled.

应该应用供应商提供的修补程序 immediately. Rapid7 strongly recommends that Check Point Security Gateway customers 检查他们的环境 for signs of compromise and reset local account credentials in addition to applying vendor-provided fixes.

Check Point notes that exploit attempts their team has observed “focus on remote access scenarios with old local accounts with unrecommended password-only authentication.” The company recommends that customers check for local account usage, 禁用任何未使用的本地帐户, and add certificate-based authentication rather than password-only authentication. More information and recommendations on user and client authentication for remote access is available here.

IOCs

No reliable method of identifying arbitrary file read exploitation was identified. However, successful web administration panel and SSH logins will be logged in /var/log/messages, /var/log/audit/audit.log, and /var/log/auth.

Contents of /var/log/audit/audit.log after web administration panel login as the user ‘admin’ from ‘192.168.181.1’采用本地PAM认证:
类型= USER_AUTH味精=审计(1717085193.706:656): pid=65484 uid=99 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:authentication grantors=pam_dof_tally,cp_pam_tally,Pam_unix acct="admin" exe="/usr/sbin/httpauth" hostname=192.168.181.1 addr=192.168.181.1 terminal=? res=success'

Contents of /var/log/messages after web administration panel login as the user ‘admin’ from ‘192.168.181.1’采用本地PAM认证:
5月30日08:30:25 2024 gw-6f7361 httpd2: HTTP登录从192.168.181.1 as admin

Contents of /var/log/auth after web administration panel login as the user ‘admin’ from ‘192.168.181.1’采用本地PAM认证:
5月30日08:30:31 2024 gw-6f7361 httpd2: HTTP登录从192.168.181.1 as admin

Contents of /var/log/messages 从' 192 '以' admin '用户SSH登录后.168.181.1’采用本地PAM认证:
May 30 08:34:24 2024 gw-6f7361 xpand[176227]: admin localhost t +volatile:clish:admin:66699 t
May 30 08:34:24 2024 gw-6f7361 xpand[176227]: User admin logged in with ReadWrite permission

Contents of /var/log/secure 从' 192 '以' admin '用户SSH登录后.168.181.1’采用本地PAM认证:
May 30 08:30:31 2024 gw-6f7361 sshd[66690]: Accepted password for admin from 192.168.181.1端口62487 ssh2

Rapid7客户

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2024-24919 with an unauthenticated vulnerability check shipping in today's (Thursday, 5月30日)内容发布.

InsightIDR and 管理检测和响应 customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on post-exploitation behavior related to this vulnerability:

• Suspicious Web Server Request - Successful Path Traversal Attack
• Suspicious Web Request - Possible Check Point VPN (CVE-2024-24919) Exploitation

Updates

May 30, 2024: Added IOC section. CVE-2024-24919已添加到美国.S. 网络安全和基础设施局(CISA) 已知利用漏洞(KEV)列表 2024年5月30日.

May 31, 2024增加了更新的检查点 advisory that has revealed that the first exploitation attempts actually began on April 7, 2024, 而不是之前认为的4月30日.

June 3, 2024: Updated the 缓解部分 检查点的新消息更新了 advisory 打开默认关闭的CCCD特性. It must be disabled for the Hotfix to be effective on some versions of the software.