support.checkpoint.com
Open in
urlscan Pro
18.245.31.23
Public Scan
Submitted URL: https://click.checkpoint.com/NzUwLURRSC01MjgAAAGTX8pAE93iV6PlDP_VY6D-eE8GfYdUs02BF9pHUVZhZxxbNLaYBobBFWpaQRj5ZUurgPEy1Bw=
Effective URL: https://support.checkpoint.com/results/sk/sk182336?mkt_tok=NzUwLURRSC01MjgAAAGTX8pAEwA9sDvhxX_Zw2BHMpLvY9eJLtIWUIiHN6_GXbuhQdsr...
Submission: On June 03 via manual from CZ — Scanned from DE
Effective URL: https://support.checkpoint.com/results/sk/sk182336?mkt_tok=NzUwLURRSC01MjgAAAGTX8pAEwA9sDvhxX_Zw2BHMpLvY9eJLtIWUIiHN6_GXbuhQdsr...
Submission: On June 03 via manual from CZ — Scanned from DE
Form analysis
1 forms found in the DOM<form></form>
Text Content
Choose your language... Japanese English Products Products Quantum Secure the Network Quantum Maestro Quantum Security Gateway Quantum Spark Quantum Scalable Chassis Quantum Edge Quantum IoT Protect Quantum VPN Quantum Smart-1 Quantum Smart-1 Cloud Quantum Cyber Security Platform CloudGuard Secure the Cloud CloudGuard Network CloudGuard Private Cloud CloudGuard Public Cloud CloudGuard CNAPP CloudGuard Posture Management CloudGuard Workload CloudGuard AppSec CloudGuard Intelligence CloudGuard Spectral Harmony Secure the Workspace Harmony Endpoint Harmony Connect (SASE) Harmony Browse Harmony Email & Collaboration Harmony Mobile Infinity Security Operations & AI Infinity MDR/MPR Infinity XDR/XPR Infinity Events Infinity Playblocks Solution Solution Cloud Security Cloud Migration Security Compliance in the Cloud Cloud Threat Hunting Developer Security Network Security Hybrid Data Center SD-WAN Security Zero Trust Security IoT Security Users & Access Security Secure Access Service Edge (SASE) Endpoint Security Mobile Security Anti-Ransomware Anti-Phishing Industry Retail Financial Services Federal Government State and Local Government Healthcare Industrial Control Systems ICS & SCADA Telco / Service Provider Education Cloud Providers AWS Cloud Azure Cloud Google Cloud AI-Powered Prevention ThreatCloud AI Security Operations Zero-Day Protection Business Size Large Enterprise Small & Medium Business Consumer & Small Busines Support & Services Support & Services Support Create/View Service Request Contact Support Check Point Pro Support Programs Life Cycle Policy License Agreement & Warranty RMA Policy Infinity Global Services IGS Overview IGS Portal Assess Cyber Security Risk Assessment Security Controls Gap Analysis Penetration Testing Threat Intelligence Master Mind Certifications & Accreditations CISO Training Security Awareness Cyber Park Manage MXDR with Managed SIEM Managed Firewalls EDR with Agent Management Managed CNAPP Managed CSPM Transform Security Deployment & Optimization Advanced Technical Account Management Lifecycle Management Services Respond Incident Response Managed Detection and Response Digital Forensics Partners Partners Channel Partners Become a Partner MSSP Partner Program Global Systems Integratorsr SMB Partners Find a Partner Technology Partners Featured Technology Partners AWS Cloud Azure Cloud Partner Portal Product Catalog Renewal Tool Partner Dashboard Campaign Central Campaign Marketplace Resources Resources Resources Content Resource Center Product Demos Product Trials Customer Stories Events Webinars Videos Cyber Hub Downloads & Documentation Downloads & Documentation Product Catalog Renewal Pricing Tool Cyber Security Insights Check Point Blog Check Point Research Cyber Talk for Executives CheckMates Community Free Demo Contact Us Support Center Blog Sign In Free Demo Contact Us Support Center Blog Sign In Products Products Quantum Secure the Network Quantum Maestro Quantum Security Gateway Quantum Spark Quantum Scalable Chassis Quantum Edge Quantum IoT Protect Quantum VPN Quantum Smart-1 Quantum Smart-1 Cloud Quantum Cyber Security Platform CloudGuard Secure the Cloud CloudGuard Network CloudGuard Private Cloud CloudGuard Public Cloud CloudGuard CNAPP CloudGuard Posture Management CloudGuard Workload CloudGuard AppSec CloudGuard Intelligence CloudGuard Spectral Harmony Secure the Workspace Harmony Endpoint Harmony Connect (SASE) Harmony Browse Harmony Email & Collaboration Harmony Mobile Infinity Security Operations & AI Infinity MDR/MPR Infinity XDR/XPR Infinity Events Infinity Playblocks Solution Solution Cloud Security Cloud Migration Security Compliance in the Cloud Cloud Threat Hunting Developer Security Network Security Hybrid Data Center SD-WAN Security Zero Trust Security IoT Security Users & Access Security Secure Access Service Edge (SASE) Endpoint Security Mobile Security Anti-Ransomware Anti-Phishing Industry Retail Financial Services Federal Government State and Local Government Healthcare Industrial Control Systems ICS & SCADA Telco / Service Provider Education Cloud Providers AWS Cloud Azure Cloud Google Cloud AI-Powered Prevention ThreatCloud AI Security Operations Zero-Day Protection Business Size Large Enterprise Small & Medium Business Consumer & Small Busines Support & Services Support & Services Support Create/View Service Request Contact Support Check Point Pro Support Programs Life Cycle Policy License Agreement & Warranty RMA Policy Infinity Global Services IGS Overview IGS Portal Assess Cyber Security Risk Assessment Security Controls Gap Analysis Penetration Testing Threat Intelligence Master Mind Certifications & Accreditations CISO Training Security Awareness Cyber Park Manage MXDR with Managed SIEM Managed Firewalls EDR with Agent Management Managed CNAPP Managed CSPM Transform Security Deployment & Optimization Advanced Technical Account Management Lifecycle Management Services Respond Incident Response Managed Detection and Response Digital Forensics Partners Partners Channel Partners Become a Partner MSSP Partner Program Global Systems Integratorsr SMB Partners Find a Partner Technology Partners Featured Technology Partners AWS Cloud Azure Cloud Partner Portal Product Catalog Renewal Tool Partner Dashboard Campaign Central Campaign Marketplace Resources Resources Resources Content Resource Center Product Demos Product Trials Customer Stories Events Webinars Videos Cyber Hub Downloads & Documentation Downloads & Documentation Product Catalog Renewal Pricing Tool Cyber Security Insights Check Point Blog Check Point Research Cyber Talk for Executives CheckMates Community Choose your language... Japanese English 1. Support Center 2. / 3. Search Results 4. / 5. Secureknowledge Details My Favorites Solution ID: sk182336 -------------------------------------------------------------------------------- Technical Level: Basic Email Print PREVENTATIVE HOTFIX FOR CVE-2024-24919 - QUANTUM GATEWAY INFORMATION DISCLOSURE Please read this important update from Check Point. Security Alert: High ProductCloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, Quantum Spark Appliances VersionR77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, R81.20 Last Modified2024-06-02 SOLUTION Following our security update on May 27, 2024, Check Point's dedicated task force continues investigating attempts to gain unauthorized access to VPN products used by our customers. On May 28, 2024 we discovered a vulnerability in Security Gateways with IPsec VPN in Remote Access VPN community and the Mobile Access software blade (CVE-2024-24919). Exploiting this vulnerability can result in accessing sensitive information on the Security Gateway. This, in certain scenarios, can potentially lead the attacker to move laterally and gain domain admin privileges. If you need any additional assistance, contact Check Point Support or your local Check Point representative. Table of Contents * Install Jumbo Hotfix Accumulator to fix CVE-2024-24919 * Security Gateway Hotfix to prevent exploit of CVE-2024-24919 * Important extra measures * Additional Frequently Asked Questions * Article Revision History INSTALL JUMBO HOTFIX ACCUMULATOR TO FIX CVE-2024-24919 This problem was fixed. The fix is included in these Jumbo Hotfix Accumulators: Version Take # R81.20 Jumbo Hotfix Accumulator Coming soon R81.10 Jumbo Hotfix Accumulator Latest Take 150 R81 Jumbo Hotfix Accumulator Coming soon If you wish not to install the Jumbo Hotfix Accumulator, the following hotfix is available: SECURITY GATEWAY HOTFIX TO PREVENT EXPLOIT OF CVE-2024-24919 Perform this step on ANY Security Gateway and Cluster that has EITHER of the following setups: * The IPSec VPN Software Blade is enabled, but ONLY when included in the Remote Access VPN community. * The Mobile Access Software Software Blade is enabled. For online Security Gateways and Cluster Members, the Hotfix is available for you in CPUSE. To obtain the Hotfix: 1. With a web browser, connect to the Gaia Portal on the Security Gateway and each Cluster Member. 2. Install the hotfix package: CPUSE View Instructions Default 1. Go to Upgrades (CPUSE) > Status and Actions. 2. In the top right corner, click Check For Updates. 3. In the Hotfixes section, right-click the hotfix package "Hotfix for CVE-2024-24919" and click Install Update. New Experience 1. Go to Software Updates > Available Updates. 2. In the top right corner, click Check for updates. 3. In the Hotfix Updates section, in the "Hotfix for CVE-2024-24919" row, click Install. The process should take 5 to 10 minutes to complete and the confirmation window appears. 3. Reboot the Security Gateway / Cluster Member. PROCEDURE FOR CUSTOMERS USING CCCD - AN ADVANCED VPN FEATURE IN R81.10 / R81.20 In R81.10, a new feature was introduced to improve VPN performance: CCCD. This feature is disabled by default, and is used by a very small number of Security Gateways globally. Customers who use CCCD must disable this functionality for the Hotfix to be effective. Follow these steps to check the current CCCD state and disable it: 1. Log in to the command line (Expert mode) on the Security Gateway and each Cluster Member. 2. Run the command: vpn cccd status The expected output is: vpn: 'cccd' is disabled. If the output differs, permanently disable the CCCD process by running the vpn cccd disable command. Note: This change survives a Security Gateway reboot. PROCEDURE TO IDENTIFY VULNERABLE SECURITY GATEWAYS Use this procedure to run the script that scans all the Security Gateways and Cluster Members configured in your Security Management Server or Domain Management Server. The script shows a list of Security Gateways / Clusters that have IPSec VPN, Remote Access VPN, or Mobile Access blade enabled. The recommended action is to install the Security Gateway Hotfix. The script does not check if the Hotfix is installed. Click to Show / Hide this Section Important Note: To run a script from SmartConsole, the permission profile of a Management administrator must have these permissions on the Gateways page in the Scripts section: 1. Run Repository Script 2. Manage Repository Scripts Procedure: 1. Download the archive check-for-CVE-2024-24919-v2.zip to your computer. 2. Extract the check-for-CVE-2024-24919.sh script file from the archive to a local directory. 3. Connect with SmartConsole to your Security Management Server (on a Multi-Domain Server, connect to any Domain Management Server). 4. From the left navigation panel, go to Gateways & Servers view. 5. Click the Security Management Server object (and not a Security Gateway). 6. From the the top toolbar, click Scripts > Scripts Repository. The Script Repository window opens. 7. Add the downloaded script to the repository: 1. From the top toolbar, click New. 2. In the Name field, paste: Check for CVE-2024-24919 3. Optional: In the Comment field, paste: Check my gateways for CVE-2024-24919 (sk182336) 4. Click Load from file > select the script file (check-for-CVE-2024-24919.sh). 5. Wait for the script content to appear. 6. Click OK. 8. Run the script: 1. In the Script Repository window, select the newly added script. 2. From the top toolbar, click Run. 3. The Run 'Check for CVE-2024-24919' On '<Name of Management Server>' window opens. Note for Multi-Domain Management: By default, the script scans all Domain Management Servers (Domains) on the current Multi-Domain Server (MDS), both Active and Standby. In case some Domain Management Servers do not exist on the current Multi-Domain Server, make sure to run the script on additional Multi-Domain Servers as well. The ability to scan multiple Domains, regardless to which Domain the administrator is currently connected, leverages the strong Run-Script permissions of an administrator that can access all Domains. It is meant to simplify the scanning all Domains on the Multi-Domain Server. To restrict the script to scan only a specific Domain, enter the Domain Name in the Arguments field. 4. Click Run. 5. Close the Script Repository window. 6. Wait a few seconds for the script to complete - see the SmartConsole bottom left corner. 9. Get the script results: 1. In the SmartConsole bottom-left corner, click the Task Monitoring pane > in the completed script task Run Repository Script, click Details. 2. The Run Repository Script window opens. If the result is long, then in the Results section, click the Show results link. Example result: > ALERT: Number of vulnerable Remote Access gateway(s) identified: 1 > Recommendation: Install Hotfix to mitigate CVE-2024-24919 according to > sk182336. > - Perimiter-Gateway 10. Install the recommended hotfix on the vulnerable Security Gateways and Cluster Members: * On online Security Gateways / Cluster Members, the hotfix appears in Gaia Portal and Gaia Clish. * For offline Security Gateways / Cluster Members, refer to the summary table with manual downloads. The Security Gateway Hotfix is also available for manual download from this table: Enter the string to filter this table: Hotfix on top Download link Quantum Security Gateway R81.20 Jumbo Hotfix Accumulator Take 54 (TAR) R81.20 Jumbo Hotfix Accumulator Take 53 (TAR) R81.20 Jumbo Hotfix Accumulator Take 41 (TAR) R81.20 Jumbo Hotfix Accumulator Take 26 (TAR) R81.10 Jumbo Hotfix Accumulator Take 141 (TAR) R81.10 Jumbo Hotfix Accumulator Take 139 (TAR) R81.10 Jumbo Hotfix Accumulator Take 130 (TAR) R81.10 Jumbo Hotfix Accumulator Take 110 (TAR) R81 Jumbo Hotfix Accumulator Take 92 (TAR) R80.40 Jumbo Hotfix Accumulator Take 211 (TGZ) R80.40 Jumbo Hotfix Accumulator Take 206 (TGZ) R80.40 Jumbo Hotfix Accumulator Take 198 (TGZ) R80.40 Jumbo Hotfix Accumulator Take 197 (TGZ) R80.30 Kernel 2.6 Jumbo Hotfix Accumulator Take 255 (TGZ) R80.30 Kernel 3.10 Jumbo Hotfix Accumulator Take 255 (TGZ) R80.20 Jumbo Hotfix Accumulator Take 230 (TGZ) R80.10 Jumbo Hotfix Accumulator Take 298 (TGZ) Quantum Maestro and Quantum Scalable Chassis R80.30SP Jumbo Hotfix Accumulator Take 97 (TGZ) R80.20SP Jumbo Hotfix Accumulator Take 336 (TGZ) Quantum Spark Appliances See sk182357: Preventative Hotfix for CVE-2024-24919 - Quantum Spark Gateways For manual hotfix installation instructions on Quantum Security Gateways, see: sk168597 - How to install a Hotfix. AUTOMATIC INTERIM PREVENTATIVE MEASURE DEPLOYED THROUGH AUTOUPDATER UTILITY Customers subscribed to Check Point's Auto Update process are gradually receiving an update (as of June 2, 2024), which helps protect them from various attempts to exploit the CVE. This is an interim preventative measure until the Hotfix is fully installed on customers’ Security Gateways. It is important to emphasize that installing the Hotfix is the best way to stay protected from this vulnerability. IMPORTANT EXTRA MEASURES Follow this link to see video tutorials for some of the below procedures. Click each item to see the content or click here to see the Entire Section 1. Change the password of the LDAP Account Unit If a Security Gateway / Cluster is configured to use an LDAP Account Unit, we recommend changing the password of the LDAP account. Instructions: 1. Change Security Gateway's account in the Active Directory. To do so, refer to this Microsoft article. 2. In SmartConsole, open the Object Explorer (press the CTRL+E keys) > Users/Identities > LDAP Account Units 3. Right-click the LDAP Account Unit and click Edit. 4. The LDAP Account Unit Properties window opens. In the Servers tab, click Edit: 5. The LDAP Server Properties window opens: 6. Change the password and click OK. 7. Install the Access Control policy. 2. Reset password of local accounts connecting to Remote Access VPN with password-only authentication 1. In SmartConsole, open the Object Explorer (press the CTRL+E keys) > VPN Communities > Remote Access. 2. In Participant User Group pane, select the relevant User group. 3. In the User Group properties, edit the relevant User. 4. In the User properties window, go to the Authentication page and for Check Point Password click Set new password. 5. Click OK. 6. Repeat this procedure for EVERY User with the 'Check Point Password' authentication in ALL User Groups in ALL Remote Access VPN Communities. 3. Prevent Local Accounts from connecting to VPN with Password-Only Authentication We recommend not to use local accounts that authenticate the Remote Access VPN users with password-only authentication. This section provides mitigation steps to discover and prevent such accounts from logging into the VPN. Important Note: To run a script from SmartConsole, the permission profile of a Management administrator must have these permissions on the Gateways page in the Scripts section: 1. Run Repository Script 2. Manage Repository Scripts Procedure: 1. Download the archive check-for-local-users-with-password-only-authentication-v5.zip to your computer. 2. Extract the check-for-local-users-with-password-only-authentication.sh script file from the archive to a local directory. 3. Connect with SmartConsole to your Security Management Server (on a Multi-Domain Server, connect to any Domain Management Server). 4. From the left navigation panel, go to Gateways & Servers view. 5. Click the Security Management Server object. 6. From the the top toolbar, click Scripts > Scripts Repository. The Script Repository window opens. 7. Add the downloaded script to the repository: 1. From the top toolbar, click New. 2. In the Name field, paste: Check for local users with password-only authentication 3. Optional: In the Comment field, paste: sk182336 4. Click Load from file > select the script file check-for-local-users-with-password-only-authentication.sh. 5. Wait for the script content to appear. 6. Click OK. 8. Run the script: 1. In the Script Repository window, select the newly added script. 2. From the top toolbar, click Run. 3. The Run 'Check for local users with password-only authentication' On '<Name of Management Server>' window opens. Note for Multi-Domain Management: By default, the script scans all Domain Management Servers (Domains) on the current Multi-Domain Server (MDS), both Active and Standby. In case some Domain Management Servers do not exist on the current Multi-Domain Server, make sure to run the script on additional Multi-Domain Servers as well. The ability to scan multiple Domains, regardless to which Domain the administrator is currently connected, leverages the strong Run-Script permissions of an administrator that can access all Domains. It is meant to simplify the scanning all Domains on the Multi-Domain Server. To restrict the script to scan only a specific Domain, enter the Domain Name in the Arguments field. 4. Click Run. 5. Close the Script Repository window. 6. Wait a few seconds for the script to complete - see the SmartConsole bottom left corner. 9. Get the script result: 1. In the SmartConsole bottom-left corner, click the Task Monitoring pane > in the completed script task Run Repository Script, click Details. 2. The Run Repository Script window opens. 3. In the Results section, click the Show results link. 10. Analyze the script result. * If the result is "No Local accounts with Password Authentication method found. No further action required" - then no further action is required. * If the result is "ALERT: the script identified Local Accounts with Password Authentication method. Install Security Gateway Hotfix to prevent from such accounts to log-in, delete accounts or strengthen their authentication method" - then proceed to the next step to install the recommended Security Gateway Hotfix. 11. Install the Hotfix to block Local Accounts with Password-Only Authentication Do this step if the above script result shows the "ALERT: the script identified Local Accounts with Password Authentication method" message. The update is delivered as a Security Gateway Hotfix to enhance the overall security of the product by blocking local accounts that use "Check Point Password" as the only authentication method. After the hotfix installation, local user accounts configured with the password-only authentication method will no longer be able to authenticate to Remote Access VPN. Available Hotfixes On online Security Gateways and Cluster Members, the Hotfix is available for you in CPUSE. To obtain the Hotfix, go to Gaia Portal on the Security Gateway and each Cluster Member > Software Updates > Available Updates > Hotfix Updates > click Install > reboot. This Hotfix is also available for manual download from this table: Hotfix on top Download link R81.20 with Jumbo Hotfix Accumulator Take 53 (TAR) R81.10 with Jumbo Hotfix Accumulator Take 139 (TAR) R81 with Jumbo Hotfix Accumulator Take 92 Contact Check Point Support R80.40 with Jumbo Hotfix Accumulator Take 211 Contact Check Point Support For the hotfix manual installation instructions, see: sk168597 - How to install a Hotfix. Usage This Hotfix adds a new command blockSFAInternalUsers on the Security Gateway that allows to block or grant access to internal users with password-only authentication. Default value: "-b" (block internal users from connecting with password-only authentication). Syntax: blockSFAInternalUsers [flags] * -s - show current status * -a - allow internal users to connect with password-only authentication * -b - block internal users from connecting with password-only authentication Note: In a Cluster / Maestro / Chassis environment, you must run the command on each member separately. Verification Test After installing this Hotfix, users who attempt to connect using the password-only authentication method will receive this security log: If you need a Hotfix for another Jumbo Hotfix Accumulator Take, contact Check Point Support. 4. Renew the server certificates for the Inbound HTTPS Inspection on the Security Gateway Motivation: Certificates used for Inbound HTTPS Inspection are stored on the Security Gateway, including the private key. See the R81.20 Threat Prevention Administration Guide for more information. You should renew any certificate stored on the Security Gateway. "Renew" in this context means: generating a new certificate with a new key pair and revoking the old certificate, making sure this old certificate is listed in the CRL. 1. Get the new server certificate in the P12 format. 2. Import the new server certificate: 1. Connect with SmartConsole to the Security Management Server / Domain Management Server. 2. From the left navigation panel, click Manage & Settings. 3. In the top panel, click Blades. 4. In the HTTPS Inspection section, click Configure in SmartDashboard. 5. In the top left panel, click Server Certificates. 6. Select the new server certificate file. 7. From the top toolbar, click Add > enter the required information > select the server certificate file > click OK. 8. Save the changes - in the top left corner, click the diskette icon (or press CTRL + S). 9. Close SmartDashboard. 3. In the HTTPS Inspection policy (used for the inbound inspection), replace the old inbound certificate with the new certificate (the one you just imported). 4. Install the Access Control policy. 5. Delete the old certificate that is potentially compromised: 1. From the left navigation panel, click Manage & Settings. 2. In the top panel, click Blades. 3. In the HTTPS Inspection section, click Configure in SmartDashboard. 4. In the top left panel, click Server Certificates. 5. Select and delete each old certificate file. 6. Save the changes - in the top left corner, click the diskette icon (or press CTRL + S). 7. Close SmartDashboard. 6. Install the Access Control policy again. 5. Renew the certificate for the Outbound HTTPS Inspection on the Security Gateway Motivation: Outbound inspection of TLS traffic is based on a certificate stored on the Security Gateway. The certificate and related keying material might have been compromised in the context of CVE-2024-24919. Client computers sending traffic through the Security Gateway trust this certificate (it is imported into their operating system's Trusted Certificate Store). Note: All Security Gateways configured for outbound HTTPS Inspection managed by the same Security Management Server / Domain Management Server share the same certificate and key pair. If you use an outbound certificate generated on the Management Server (in the R81.20 Threat Prevention Administration Guide, see the "Creating an Outbound CA Certificate" section), follow the steps below to renew this certificate. 1. Connect with SmartConsole to the Security Management Server / Domain Management Server. 2. From the left navigation panel, click Manage & Settings. 3. In the top panel, click Blades. 4. In the HTTPS Inspection section, click Configure in SmartDashboard. 5. In the top left panel, click Gateways. 6. At the bottom, in the CA Certificate section, click Renew Certificate. 7. Configure the new settings > click OK. 8. Close SmartDashboard. 9. Install the Access Control policy. 10. Distribute this new certificate to all client computers using the Security Gateway for their outbound traffic. This step is required, as the certificate generated on the Management Server is a "self-signed" certificate (as you can see below, "Issued to" and "issued by" fields are identical). 11. Configure client computers to remove the old HTTPS outbound certificate from their Trusted Certificate Store. 12. If you use an Enterprise CA for generating an outbound HTTPS certificate (in the R81.20 Threat Prevention Administration Guide, see the "Importing an Outbound CA Certificate" section), follow the steps indicated in the Administration Guide to renew the outbound CA certificate with a new key pair. After you install the new Outbound CA certificate, revoke the old certificate. 6. Reset Gaia OS passwords for all local users 1. Reset the passwords for Gaia OS local users You can reset a local user password in Gaia Portal or in Gaia Clish. To reset the password for a Gaia OS local user in Gaia Portal: 1. In a web browser, connect to Gaia Portal on the Security Gateway. 2. In the User Management section, click the Users page. 3. For each user: 1. Click the user. 2. From the top toolbar, click Reset Password. 3. Enter the new password. 4. Click OK. To reset the password for a Gaia OS local user in Gaia Clish: 1. Connect to the command line on the Security Gateway. 2. If your default shell is the Expert mode, then go to Gaia Clish: clish 3. For each user: 1. Run: set user <username> password 2. Enter the new password. 4. Save the changes: save config 2. Reset the Expert mode password for Gaia OS You can reset the Expert mode password in Gaia Portal or in Gaia Clish. To reset the Expert mode password in Gaia Portal: 1. In a web browser, connect to Gaia Portal on the Security Gateway. 2. In the System Management section, click the System Passwords page. 3. In the Change Expert Password section, enter the new password. 4. Click Apply. To reset the Expert mode password in Gaia Clish: 1. Connect to the command line on the Security Gateway. 2. If your default shell is the Expert mode, then go to Gaia Clish: clish 3. Run: set expert-password 4. Enter the new password. 5. Save the changes: save config 7. Regenerate the SSH local user certificate on the Security Gateway in the following case: 1. Based on the above script results, your Security Gateway is vulnerable. 2. On the Security Gateway, the SSH is configured to allow all source IP addresses, including the Internet (not recommended). 3. Authentication of SSH users is based on certificates. 4. You did not delete the user's private key from the Security Gateway (not recommended). * You can find the user's private keys in the /home/<username>/.ssh file. Use the command in the Expert mode: find /home/*/.ssh -print In the command output, you should see a file called "id_rsa" (this is the private SSH key). For each of these keys, use the "ssh-keygen" command (in the Expert mode) to regenerate the SSH key for the relevant user. 8. Renew the certificate for the SSH Inspection If you configured transparent inspected SSH severs (imported the private key and the public key of an SSH server), the follow these steps for each SSH sever: 1. Get the new RSA keys from the SSH server - private key and public key. 2. Copy the new two key files to the Security Gateway. 3. Connect to the command line on the Security Gateway. 4. Log in to the Expert mode. 5. Delete the current private key for the SSH server: rm -i </PATH/TO/CURRENT/PRIVATE/RSA/KEY> 6. Delete the current public key for the SSH server: rm -i </PATH/TO/CURRENT/PUBLIC/RSA/KEY>.pub 7. Import the new keys: cpssh_config -s -a <SERVER_NAME> -e </PATH/TO/NEW/RSA/PUBLIC/KEY>.pub -i </PATH/TO/NEW/PRIVATE/RSA/KEY> 8. Install the Access Control policy - either with the command "fw fetch local" or in SmartConsole. If you configured non-transparent inspected SSH severs (imported only the public key of an SSH server), the follow these steps for each SSH sever: 1. Get the new public RSA key (*.pub) from the SSH server. 2. Copy the new public key to the Security Gateway. 3. Connect to the command line on the Security Gateway. 4. Log in to the Expert mode. 5. Delete the current public key for the SSH server: rm -i </PATH/TO/CURRENT/RSA/KEY>.pub 6. Import the new public key: cpssh_config -s -g <SERVER_NAME> -e </PATH/TO/NEW/RSA/KEY>.pub 7. Install the Access Control policy - either with the command "fw fetch local" or in SmartConsole. ADDITIONAL FREQUENTLY ASKED QUESTIONS Click each item to see the content or click here to see the Entire Section 1. What are the suspect IP addresses used by threat actors to exploit the vulnerability? > Enter the string to filter this table: > > > > 5.188.218.0/23 23.227.196.88 23.227.203.36 31.134.0.0/20 37.9.40.0/21 > 37.19.205.180 38.180.54.104 38.180.54.168 45.135.1.0/24 45.135.2.0/23 > 45.155.166.0/23 46.59.10.72 46.183.221.194 46.183.221.197 61.92.2.219 > 64.176.196.84 68.183.56.130 82.180.133.120 85.239.42.0/23 87.206.110.89 > 88.218.44.0/24 91.132.198.0/24 91.218.122.0/23 91.245.236.0/24 103.61.139.226 > 104.207.149.95 109.134.69.241 112.163.100.151 132.147.86.201 146.70.205.62 > 146.70.205.188 146.185.207.0/24 149.88.22.67 154.47.23.111 156.146.56.136 > 158.62.16.45 162.158.162.254 167.61.244.201 167.99.112.236 178.236.234.123 > 183.96.10.14 185.213.20.20 185.217.0.242 192.71.26.106 193.233.128.0/22 > 193.233.216.0/21 195.14.123.132 198.44.211.76 203.160.68.12 217.145.225.0/24 > 221.154.174.74 2. When were exploitation attempts for this vulnerability first seen? > Our retrospective telemetry analysis shows exploitation attempts starting on > 30 April 2024. > > Further investigation (as of 31 May 2024) revealed that the first exploitation > attempts started on 07 April 2024. > > We are actively investigating further. 3. What is the current CVSS score of this vulnerability? > As of 30 May 2024, the CVSS score is 8.6 (High), with the vector string - > CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N > > Parameter Value Explanation Attack Vector (AV) Network This vulnerability is > exploited only through the Network. Attack Complexity (AC) Low An attacker can > expect repeatable success when attacking the vulnerable component. There are > no special conditions or circumstances required for exploit success, assuming > the component (VPN) is enabled on the Security Gateway. Privilege Required > (PR) None The attacker is unauthorized. User Interaction (UI) None The > vulnerability can be exploited without any user interaction. Scope (S) Changed > An exploited vulnerability can affect Security Gateway components besides the > VPN. Confidentiality (C) High All resources within the Security Gateway are > potentially accessible to the attacker and are therefore considered > compromised. Integrity (I) None There is no loss of Security Gateway > integrity. Availability (A) None There is no impact on the Security Gateway > availability. 4. What is the recommendation for a Gateway running an End-of-Support version (R80.30 and lower)? > If you run a version that is already End-of-Support, we recommend one of these > options: > > * Upgrade to a supported version and install the provided Hotfix. > > * Disable the Remote Access and Mobile Access functionalities: > > 1. Remove the Mobile Access functionality: > > 1. In SmartConsole, go to Gateways & Servers > 2. Double-click the Security Gateway object. > 3. On the General Properties page, > clear the Mobile Access checkbox. > 4. Click OK. > > 2. Remove the Security Gateway from the Remote Access VPN Communities: > > 1. In SmartConsole, in the top right corner, click the Objects panel. > 2. Click VPN Communities. > 3. Double-click the relevant Remote Access VPN community. > 4. On the Participating Gateways page, remove the applicable Security > Gateway from the list. > 5. Click OK. > > 3. Install the Access Control policy. 5. Is there an IPS Signature that can prevent attempts to exploit CVE-2024-24919? > Yes. > > The IPS Signature "Check Point VPN Information Disclosure (CVE-2024-24919)" > detects and blocks attempts to exploit this CVE. > This signature is automatically available in the "Optimized" IPS profile. > > To prevent any attempt to exploit this vulnerability, you must protect the > vulnerable Remote Access VPN gateway behind a Security Gateway with both IPS > and HTTPS Inspection enabled. 6. If I suspect unauthorized access attempts, what should I do? > To investigate for suspicious activity, we recommend taking these steps: > > 1. Analyze all Remote Access connections of local accounts with password-only > authentication. > > Monitor your connection logs from the past 3 months: > > 1. In SmartConsole, go to the Logs & Monitor > Logs tab. > > 2. In the top Search field, enter this query: > > blade:"Mobile Access" AND action:"Log In" AND auth_method:Password > > 2. For each connection, verify that the user, time, source IP address, client > name, OS name, and application are familiar, based on the configured users > and business needs. > > 3. In case one of the connections or users are not validated, we recommend > invoking an incident response playbook, or to contact Check Point Support > or your local Check Point representative. 7. I have installed the hotfix "Hardening Remote Access for VPN users". Are the Security Gateways still vulnerable to CVE-2024-24919? > As an initial step, deploy the hotfix for CVE-2024-24919 to address the > vulnerability. > > Implement one of the additional protection measures if you have Remote Access > VPN users who authenticate to the Security Gateway using only a password (see > "Important extra measures"): > > * Reset Gaia OS passwords for all local users. > > * Prevent Local Accounts from connecting to VPN with Password-Only > Authentication. ARTICLE REVISION HISTORY Show / Hide revision history Date Description 02 June 2024 1. Added the "Automatic interim preventative measure deployed through AutoUpdater utility section 2. Added the "Install Jumbo Hotfix Accumulator to fix CVE-2024-24919" section and R81.10 Jumbo Hotfix Accumulator Take 150 01 June 2024 1. Added caution for customers using CCCD in R81.10 / R81.20 2. Added the "Article Revision History" section ARTICLE PROPERTIES Access LevelGeneral SeverityHigh Date Created2024-05-26 Last Modified2024-06-02 Was this page helpful?YesNo HAVEN'T FOUND WHAT YOU'RE LOOKING FOR? OUR CUSTOMER SUPPORT TEAM IS ONLY A CLICK AWAY AND READY TO HELP YOU 24 HOURS A DAY. Open a Service Request -------------------------------------------------------------------------------- Follow Us YOU DESERVE THE BEST SECURITY™ ©1994-2024 Check Point Software Technologies Ltd. All rights reserved. Copyright | Privacy Policy | User Agreement IMPORTANT SECURITY UPDATE Stay protected against CVE-2024-24919 VPN information disclosure See Details