Attacks on VPN servers

Check Point has released hotfixes for a VPN zero-day vulnerability exploited in attacks to gain remote access to firewalls and attempt to breach corporate networks.

On Monday, the company first warned about a spike in attacks targeting VPN devices, sharing recommendations on how admins can protect their devices. Later, it discovered the source of the problem, a zero-day flaw that hackers exploited against its customers.

Tracked as CVE-2024-24919, the high-severity information disclosure vulnerability enables attackers to read certain information on internet-exposed Check Point Security Gateways with remote Access VPN or Mobile Access Software Blades enabled.

"The vulnerability potentially allows an attacker to read certain information on Internet-connected Gateways with remote access VPN or mobile access enabled," reads an update on Check Point's previous advisory.

"The attempts we've seen so far, as previously alerted on May 27, focus on remote access scenarios with old local accounts with unrecommended password-only authentication."

CVE-2024-24929 impacts CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark Appliances, in the product versions: R80.20.x, R80.20SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, and R81.20.

Check Point has released the following security updates to address the flaw:

  • Quantum Security Gateway and CloudGuard Network Security: R81.20, R81.10, R81, R80.40
  • Quantum Maestro and Quantum Scalable Chassis: R81.20, R81.10, R80.40, R80.30SP, R80.20SP
  • Quantum Spark Gateways: R81.10.x, R80.20.x, R77.20.x

To apply the update, head to the Security Gateway portal > Software Updates > Available Updates > Hotfix Updates, and click 'Install.'

The vendor says the process should take approximately 10 minutes, and a reboot is required.

Applying the update through the panel
Applying the update through the panel
Source: Check Point

After the hotfix is installed, login attempts using weak credentials and authentication methods will be automatically blocked, and a log will be created.

Blocked login attempt
Blocked login attempt
Source: Check Point

Hotfixes have been made available for end-of-life (EOL) versions, too, but they must be downloaded and applied manually.

Check Point created a FAQ page with additional information about CVE-2024-24919, IPS signature, and manual hotfix installation instructions.

Those unable to apply the update are advised to enhance their security stance by updating the Active Directory (AD) password that the Security Gateway uses for authentication.

Additionally, Check Point has created a remote access validation script that can be uploaded onto 'SmartConsole' and executed to review the results and take appropriate actions.

More information on updating the AD password and using the 'VPNcheck.sh' script are available on Check Point's security bulletin.

Related Articles:

Check Point VPN zero-day exploited in attacks since April 30

Black Basta ransomware gang linked to Windows zero-day attacks

Google Chrome emergency update fixes 6th zero-day exploited in 2024

Google fixes fifth Chrome zero-day exploited in attacks this year

Hackers exploit critical D-Link DIR-859 router flaw to steal passwords