Check Point's 'Best Security' Slogan Meets Reality: CVE-2024-24919
The technical details and real-world exploitation of CVE-2024-24919 highlight the critical nature of this vulnerability and the importance of prompt remediation to protect against potential data breaches and network compromises.
Vulnerability Description
📌CVE-2024-24919 is an information disclosure vulnerability that allows an unauthenticated remote attacker to read the contents of arbitrary files on the affected appliance.
📌It is categorized as an "Exposure of Sensitive Information to an Unauthorized Actor" vulnerability.
📌The vulnerability affects systems with the Remote Access VPN or Mobile Access software blades enabled.
Affected Products
📌CloudGuard Network
📌Quantum Maestro
📌Quantum Scalable Chassis
📌Quantum Security Gateways
📌Quantum Spark Appliances
Exploitation Details
📌The vulnerability can be exploited by sending a crafted request to the /clients/MyCRL endpoint, which is designed to serve static files from the filesystem.
📌By including path traversal sequences like ../../etc/passwd in the request body, an attacker can read sensitive files like /etc/shadow to obtain password hashes.
📌The vulnerability allows reading any file on the system, not just specific files mentioned by the vendor.
Proof-of-Concept (PoC)
📌Security researchers have published a public PoC exploit for CVE-2024-24919, providing technical details on how to exploit the vulnerability.
📌The PoC demonstrates the ability to read arbitrary files, including extracting password hashes and other sensitive information.
Observed Exploitation
📌Check Point has observed active exploitation of this vulnerability in the wild since early April 2024.
📌Threat actors have been leveraging the vulnerability to extract password hashes, move laterally within networks, and compromise Active Directory servers by extracting the ntds.dit file.
Understanding the Decompiled Code
Initial Analysis:
📌The vulnerable code performs file I/O operations, indicated by references to functions like _fopen and _fread.
📌The code compares the requested URL with a list of hardcoded strings from a string table to determine if the file can be served.
String Comparison Bug:
📌The code uses the strstr function to check if the requested URL contains any of the strings from the table. This function searches for a substring rather than performing a strict comparison.
📌This allows for potential abuse by including a valid substring within a path traversal sequence, such as icsweb.cab/../../etc/passwd.
Path Traversal Exploitation:
📌The initial attempts to exploit the path traversal by including sequences like ../../etc/passwd in the URL failed because the OS correctly identified the path as invalid.
📌A second string table was found, containing entries that suggested directory paths, such as CSHELL/.
Successful Exploitation:
📌By crafting a request that included the directory string CSHELL/ followed by a path traversal sequence, the researchers were able to bypass the checks.
📌The successful request was:
POST /clients/MyCRL HTTP/1.1Host: <redacted>Content-Length: 39aCSHELL/../../../../../../../etc/shadow
📌This request returned the contents of the /etc/shadow file, confirming an arbitrary file read vulnerability.
Implications:
📌The ability to read the /etc/shadow file indicates that the attacker has superuser privileges, allowing them to read any file on the filesystem.
📌This is more severe than the vendor's advisory, which suggested limited information exposure.
