Stay Protected Against VPN Information Disclosure (CVE-2024-24919)

Follow this video to upgrade the Check Point 1500 Spark appliance

Important Security Update – Stay Protected Against VPN Information Disclosure (CVE-2024-24919)

Updated: May 30, 2024

To maintain protection from CVE-2024-24919, it is crucial to install the latest update on Check Point Quantum and Spark gateways. Additionally, please implement the following security measures as recommended by Check Point:

1. Change the LDAP Account Unit password.
2. Reset passwords for local accounts that connect to the VPN using password authentication.
3. Disable password-only authentication for local accounts connecting to the VPN.
4. Renew the Security Gateway’s Outbound SSL Inspection CA certificate.
5. Renew the Security Gateway’s Inbound SSL Inspection server certificates.
6. Reset all Gaia OS admin, local user, and Expert mode passwords.

Update: May 28, 2024

On May 27th, a solution was deployed to address attacks observed on a small number of customers’ VPN remote access networks. Following this, the root cause was identified, and a fix has been released. To ensure protection, it is imperative to install this fix on Check Point Quantum and Spark gateways.

The vulnerability, CVE-2024-24919, impacts Security Gateways with remote access VPN or mobile access blade enabled, potentially allowing attackers to access certain information on these Gateways. The fix developed by Check Point mitigates this vulnerability once applied.

So far, the observed attacks targeted remote access using old local accounts with password-only authentication. Check Point’s network remains unaffected.

For more details on this update, please refer to Check Point’s resources [here]().

Ensuring customer security is a top priority. Ongoing investigations will continue, and further updates will be provided as needed. For additional assistance, please reach out to Check Point Support or your Check Point representative.

Original Post: May 27, 2024

In recent months, we’ve noticed a growing interest from malicious groups in exploiting remote-access VPN environments as entry points into enterprises. Attackers aim to access organizations via remote-access setups, targeting vulnerabilities to gain persistence on critical assets.

By May 24, 2024, Check Point identified several login attempts using outdated VPN local accounts with password-only authentication. Our Incident Response, Research, Technical Services, and Products teams thoroughly investigated these attempts and identified affected customers within 24 hours.

Password-only authentication is not recommended for robust security. To enhance VPN security, we recommend the following:

1. Review local accounts for usage and determine if they are necessary.
2. Disable unused local accounts.
3. Implement additional authentication layers (such as certificates) for local accounts that use password-only authentication.
4. Apply the Check Point solution to your Security Gateways to prevent unauthorized access by local accounts with password-only authentication.

For practical guidance on configuration monitoring and enhancing VPN security, please consult Check Point technical support or your local Check Point representative.

IPTHUB Cyber Security Inc