Check Point releases emergency fix for VPN zero-day
Patches actively exploited flaw
Check Point has released emergency hotfixes to address a critical vulnerability in its VPN products that attackers were actively exploiting.
The vulnerability, tracked as CVE-2024-24919, is a zero-day flaw that allows attackers to steal sensitive information from internet-connected Check Point Network Security Gateways.
These gateways are often used by businesses to enable secure remote access for employees.
Check Point first noticed the VPN-targeted attacks on May 24th and confirmed on Tuesday that a "small number" of known customers were impacted.
The company says it quickly investigated the issue and identified the zero-day vulnerability in its products.
The flaw primarily affects devices with Remote Access VPN (RAVPN) or Mobile Access Software Blades enabled.
Attackers could potentially use this flaw to gain a foothold in a corporate network by reading information from the compromised firewall.
"The attempts we've seen so far, as previously alerted on May 27, focus on remote access scenarios with old local accounts with unrecommended password-only authentication," Check Point noted in an advisory update.
Several Check Point products are vulnerable, including CloudGuard Network, Quantum Security Gateways and various Quantum Appliance models. Notably, both current and end-of-life versions are affected.
Check Point has issued the following security updates to fix the flaw:
- Quantum Security Gateway and CloudGuard Network Security: R81.20, R81.10, R81, R80.40
- Quantum Maestro and Quantum Scalable Chassis: R81.20, R81.10, R80.40, R80.30SP, R80.20SP
- Quantum Spark Gateways: R81.10.x, R80.20.x, R77.20.x
The hotfixes address the vulnerability and automatically block login attempts using weak credentials.
Check Point has also provided hotfixes for End-of-Life (EOL) product versions, but these require manual installation.
Check Point urges users to install the available hotfixes and verify if local VPN accounts are active.
If local accounts are in use, Check Point recommends adding multi-factor authentication beyond just passwords for enhanced security. Disabling them altogether is advised if they're not necessary.
"Password-only authentication is considered an unfavourable method to ensure the highest levels of security," Check Point notes in its advisory.
Notably, VPN vulnerabilities have been a frequent target for attackers in recent months.
In January, vulnerabilities in Ivanti's VPN products were widely exploited.
Last month, Cisco warned about credential stuffing attacks aimed at VPNs and SSH services across various vendors, including Check Point itself.
The Cisco also disclosed a separate cyberespionage campaign dubbed ArcaneDoor. In this campaign, a state-backed hacking group (UAT4356, also known as STORM-1849) exploited zero-day vulnerabilities in Cisco firewalls to breach government networks worldwide.
Also last month, researchers from Mandiant said they had identified multiple China-linked hacker groups exploiting security vulnerabilities in Ivanti appliances to gain unauthorised access to targeted networks.
Among the identified threat groups, Mandiant highlighted UNC5291, which it assessed with medium confidence to be associated with Volt Typhoon, focusing primarily on the US energy and defence sectors.