Critical Path Traversal Vulnerability in Check Point Security Gateways (CVE-2024-24919)

Overview

The SonicWall Capture Labs threat research team became aware of an exploited-in-the-wild information disclosure vulnerability affecting the Check Point Security Gateways. Identified as CVE-2024-24919 and given a CVSSv3 score of 8.6, the vulnerability is more severe than it initially appears. While labeled as a sensitive information disclosure vulnerability, it is actually a path traversal attack leading to an arbitrary read, allowing an attacker to read any file on the system. A proof of concept is publicly available on GitHub. To be vulnerable, the gateway needs to have Remote Access VPN or Mobile Access Software Blades enabled. Check Point has made a patch available, and it is advisable to update immediately.

Technical Overview

The flaw is a path traversal bug in the “/clients/MyCRL” endpoint, which can be exploited via manipulated POST requests containing the string “CSHELL/” somewhere in the request. Due to the use of the “strstr” function without proper sanitizing and validation of user input, an attacker can leverage path traversal sequences like “../” within the POST request (Figure 1). This ultimately allows access to sensitive files like /etc/shadow, which contain the password hashes for the system. For our analysis, we used version R80.

Figure 1: Vulnerable Code

To trigger and exploit this vulnerability, an attacker must send a POST request containing the string “CSHELL/” and include a path traversal sequence like “../”. This can be done in Python, as shown in the publicly available PoC and Figure 2 below, where “path” is the file the attacker wants access to.

Figure 2: Creating a POST request to obtain sensitive information

Leveraging this code, we can demonstrate dumping the gateway’s “/etc/shadow” file to obtain the system’s hashed credentials, as seen in Figure 3. An attacker can then attempt to crack these hashes to obtain administrative access to the firewall. The attack allows access to any file on the system and is not limited. Note that this is being done against the WAN interface, showing that it is accessible over the Internet.

Figure 3: Dumping Hashed Credentials

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

• IPS: 4440 Check Point Security Gateway Path Traversal

Remediation Recommendations

Check Point’s gateway users are advised to apply the hotfix found in the advisory immediately.  Check Point has labeled this a mandatory patch to express the criticality of the fix.

Relevant Links

• https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• https://support.checkpoint.com/results/sk/sk182336
• https://github.com/LucasKatashi/CVE-2024-24919/blob/main/CVE-2024-24919.py

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.