New VPN vulnerability (not the same as yesterday!) CVE-2024-24919/sk182336

VPN
1

edit: It’s not new since yesterday, they’re just updated with an actual CVE and more info.

Looks like there’s another the same issue with Remote Access.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24919

Information disclosure issue - https://support.checkpoint.com/results/sk/sk182336

The Check Point Research Division CP discovered a vulnerability in Security Gateways with remote access VPN or mobile access blade enabled (CVE-2024-24919). The vulnerability potentially allows an attacker to read certain information on Gateways once connected to the Internet and enabled with Remote Access VPN or Mobile Access. The attempts we have seen so far, inline with what we alerted to our customers on May 27th, are focusing on remote access on old local accounts with unrecommended password-only authentication.

2

It seems there is more to this vulnerability then Check Point first released. Here is a walk-through reversing the patch: https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/

3

Not new, it is the same vulnerability, exactly the same that 4viper mentioned two days ago.

CVE only means that the vendor actually got to the bottom of it, identified the root problem, and, in this case, issued a definitive fix.

All details are available here: https://community.checkpoint.com/t5/General-Topics/Important-security-update-stay-protected-against-VPN-Information/m-p/215494#M35592

4

Planning on patching tonight. I don’t use local accounts, but it looks like there is more to it.

5

Is anyone else seeing “The page you requested is currently down for maintenance” when trying to download the patch? Anyone know what’s up with that?

6

Oh shit…

I was suspecting that it was something to do with gaining access to the locally stored LDAP service account hash, but thats way worse!

7

Yeah, I realsied that after I looked at today’s date :slight_smile:

To be fair I also read the intial Checkpoint advisory on the 27th when it was just about weak local passwords and today read it again now they have also come across whatever the information disclosure issue is that they have found as well.

8

Yeah, the intial advisory on the 27th was just about weak local accounts, which you could mitigate by deleting local accounts and/or disabling legacy auth.

Then they updated it on the 28th to show that there was also an issue with information disclosure which is seperate from the local account issue and the only mitigation is to disable Mobile Access and IPSec or only Mobile Access and disable all Remote Access clients or apply the patch.

9

It’s available again. However, the CVR fix is in a different SK, https://support.checkpoint.com/results/sk/sk182337

One mentioned above was issued before CVE was created

10

Looks like the checkpoint site is being hammerd to fuck.

11

At least they release the HF for take 26! I’m a little behind on my jumbos!

12

182336 is “Preventative Hotfix for CVE-2024-24919”, 182337 is “FAQ for CVE-2024-24919” which also contains links for the hotfix but also extended information about timeline of discoveries etc.

Potato/potato though really :slight_smile:

13

So, do you want to fix your subject then? It still writes “not the same as yesterday”, which is erroneous.

14

No because you can’t edit titles.