Technical Overview of CVE-2024-24919
CVE-2024-24919 is a high-severity information disclosure vulnerability affecting Check Point Security Gateways. The flaw resides within the web-facing components of the gateway, specifically those associated with the Mobile Access and Remote Access VPN blades. When exploited, an unauthenticated remote attacker can read arbitrary files from the underlying Gaia operating system, potentially leading to the extraction of sensitive data such as password hashes, configuration files, and private keys. The vulnerability is characterized by a path traversal flaw that occurs because the gateway improperly sanitizes user-supplied input in a POST request directed at specific internal endpoints.
The vulnerability is particularly critical for organizations utilizing "Password-only" authentication for their VPN or Mobile Access users. Because the attacker does not need to be authenticated to trigger the file read, the initial reconnaissance phase of an attack can yield administrative credentials that facilitate lateral movement into the protected internal network. Security researchers and incident responders have observed widespread exploitation attempts shortly after the vulnerability was disclosed in late May 2024.
Affected Products and Versions
The scope of CVE-2024-24919 is broad, covering several generations of Check Point hardware and software configurations. The vulnerability impacts gateways that have the Remote Access VPN or Mobile Access blades enabled. It is important to note that even if these blades are not actively used for user traffic, their mere activation on a publicly reachable interface creates an exploitation vector.
| Product Line | Affected Versions | Vulnerability Status |
|---|---|---|
| Quantum Maestro | R80.20, R80.30, R80.40, R81, R81.10, R81.20 | Vulnerable (Fix Available) |
| Quantum Scalable Chassis | R80.20, R80.30, R80.40, R81, R81.10, R81.20 | Vulnerable (Fix Available) |
| Quantum Security Gateways | R77.30, R80.10, R80.20, R80.30, R80.40, R81, R81.10, R81.20 | Vulnerable (Fix Available) |
| Quantum Spark Gateways | R77.20, R80.20, R81.10.x | Vulnerable (Fix Available) |
Mechanism of Exploitation
The exploitation of CVE-2024-24919 involves a simple HTTP POST request targeting the /clients/v2/catalog URI. This endpoint is part of the client-side cataloging mechanism used by the VPN software. The vulnerability is triggered when an attacker sends a specially crafted payload in the body of the POST request. The payload leverages path traversal sequences (e.g., ../../../../) to bypass the intended directory restrictions and access any file on the system that the web service process has permissions to read.
A typical proof-of-concept (PoC) request looks like the following:
POST /clients/v2/catalog HTTP/1.1 Host: [Target_IP] Content-Type: application/x-www-form-urlencoded Content-Length: 39 a/../../../../../../../../etc/shadow
In this example, the string a/../../../../../../../../etc/shadow is submitted in the POST body. The server-side logic fails to validate the presence of the traversal characters, resulting in the contents of /etc/shadow being returned in the HTTP response body. Since the cvpn or httpd processes on Gaia often run with elevated privileges or have access to system-level configuration files, the impact is severe. Security teams can leverage Zondex to identify publicly reachable Check Point gateways and assess whether their infrastructure is exposed to such unauthenticated requests across the internet.
Deep Dive: Target Files and Data Exfiltration
The primary objective for attackers exploiting CVE-2024-24919 is the acquisition of credentials. The Gaia operating system, based on a Linux kernel, stores local user information and password hashes in standard locations. However, Check Point gateways also store specific configuration databases that are highly valuable for an adversary.
- /etc/shadow: This file contains the salted SHA-512 hashes for local accounts, including the
adminandmonitoraccounts. Attackers can attempt to crack these hashes offline to gain full SSH or WebUI access. - /config/db/initial: This database often contains configuration parameters, including cleartext passwords or hashes for various system services and integrated accounts.
- /etc/passwd: Used to map UIDs to usernames, providing the attacker with a list of valid accounts to target.
- SSH Private Keys: Depending on the configuration, attackers may attempt to read files in
/home/admin/.ssh/or other service-specific directories.
The exposure of /etc/shadow is particularly dangerous because Check Point gateways are frequently deployed as the primary edge security device. If the admin account uses a weak password, the entire network perimeter can be compromised within minutes of the initial hash extraction. Performing regular scans with Secably helps identify missing hotfixes and ensures that these critical files remain protected from unauthenticated access.
Root Cause Analysis: Input Validation Failure
The vulnerability exists because the Check Point web engine does not properly enforce a chroot jail or strictly validate the path parameters passed via the POST body to the catalog endpoint. In a secure implementation, any path-like input should be normalized and checked against a whitelist of allowed directories. In the case of CVE-2024-24919, the software assumes that the input will always point to a legitimate catalog file within a specific subdirectory. By prepending the traversal sequence, an attacker forces the file-opening function to resolve to the root directory and then traverse to the target system file.
This type of vulnerability is often introduced when legacy code is integrated with newer web-based management interfaces without a comprehensive security review of the input handling logic. The cvpn process, which handles Remote Access VPN requests, was found to be the specific component responsible for this lack of validation.
Detection and Log Analysis
Detecting exploitation of CVE-2024-24919 requires inspecting both network traffic and system logs. Because the exploit is a POST request, standard web server logs (which often only record the URL and status code) may not show the malicious payload unless body logging is enabled. However, there are several indicators of compromise (IoCs) that administrators can look for:
- Suspicious HTTP POST Requests: Look for POST requests to
/clients/v2/catalogfrom unknown or unexpected IP addresses. - Abnormal Log Entries in
$FWDIR/log/vpnd.elg: Search for errors or unusual access patterns related to the catalog service. - Audit Logs: Monitor
/var/log/messagesor/var/log/audit/audit.logfor unexpected file access events, although this may require higher logging levels than are typically enabled by default.
Researchers often use GProxy to verify the reachability of gateways from different geographic locations and test how their security controls respond to traversal attempts without revealing their own infrastructure's origin. This is a common practice when building signatures for Intrusion Detection Systems (IDS).
Remediation and Mitigation
Check Point released an emergency hotfix for all affected versions. The fix implements strict validation on the /clients/v2/catalog endpoint, preventing the interpretation of path traversal sequences. The hotfix is deployed via the Check Point Upgrade Service Engine (CPUSE) or can be manually installed as a wrapper.
In addition to applying the hotfix, Check Point recommends the following security hardening measures:
- Disable Password-only Authentication: Move toward Multi-Factor Authentication (MFA) or certificate-based authentication for all VPN access. This mitigates the impact if a password hash is stolen.
- Restrict Access: Use Firewall rules to restrict access to the VPN and Mobile Access portals to known IP ranges where possible.
- Audit Local Accounts: Change passwords for all local accounts (especially
admin) after the hotfix is applied, as the hashes may have already been compromised. - Check for Local Users: Ensure that no unauthorized local accounts have been created on the Gaia OS.
Technical Verification of the Fix
After applying the hotfix, the gateway's behavior changes when receiving a traversal payload. Instead of returning the file content, the server will return an error code (typically HTTP 403 Forbidden or HTTP 404 Not Found) or a generic response that does not contain sensitive data. Security practitioners should verify this behavior by attempting the PoC request in a controlled environment to ensure the patch is functioning as intended.
The patch essentially introduces a check within the cvpn binary that looks for the .. sequence and prevents the file system call from proceeding if such characters are detected in the input stream. This is a targeted fix for the specific endpoint, underscoring the importance of defense-in-depth strategies to catch similar vulnerabilities in other less-traversed endpoints.