Check Point Remote VPN security update for CVE-2024-24919

[German]There is a vulnerability CVE-2024-24919 in Check Point Remote Access VPN, which has been used by attackers for attacks since the end of April 2024. These steal Active Directory data in order to gain access to the victim's network and to look around the network further. Check Point has already issued a warning on May 27, 2024 – I'll post it here in the blog.

CP Remote Access VPN (CVE-2024-24919)

It is unclear to me how widely Check Point Remote Access VPN is used by companies. However, an administrator has just sent me the following screenshot with a warning from Check Point (thanks for that).

The Check Point Remote Access VPN vulnerability CVE-2024-24919 allows an attacker to read certain information on Check Point Security Gateways when they are connected to the Internet and enabled with Remote Access VPN or Mobile Access Software Blades. A security fix that mitigates this vulnerability is available (but Check Point is only releasing information and the update to customers).

Since May 27, 2024, there is the Check Point blog post with the vulnerability notes and probably a security update to close the vulnerability. It says:

The vulnerability allows an attacker to read certain information on internet-connected gateways with remote access VPN or mobile access enabled. The attempts we've seen so far, as reported on May 27, focus on remote access scenarios using old local accounts with non-recommended password-only authentication.

A few hours after this development, Check Point released an easy-to-implement solution that prevents attempts to exploit this vulnerability. To be safe, customers should follow these simple instructions to implement the provided solution.

However, the colleagues at Bleeping Computer write that attackers have been exploiting the 0-day vulnerability in the Check Point Remote Access VPN since at least April 30, 2024, stealing Active Directory data they need to move laterally through victims' networks in successful attacks. Attackers can attack the security gateways via old local VPN accounts with insecure password authentication.

Tenable has published the article CVE-2024-24919: Check Point Security Gateway Information Disclosure Zero-Day Exploited in the Wild with an analysis and writes that Check Point has identified a zero-day vulnerability in Check Point Network Security Gateways that is exploited by malicious attackers and allows the disclosure of information.