support.checkpoint.com
Open in
urlscan Pro
18.245.31.23
Public Scan
Submitted URL: https://click.checkpoint.com/NzUwLURRSC01MjgAAAGTX8pAE93iV6PlDP_VY6D-eE8GfYdUs02BF9pHUVZhZxxbNLaYBobBFWpaQRj5ZUurgPEy1Bw=
Effective URL: https://support.checkpoint.com/results/sk/sk182336?mkt_tok=NzUwLURRSC01MjgAAAGTX8pAEwA9sDvhxX_Zw2BHMpLvY9eJLtIWUIiHN6_GXbuhQdsr...
Submission: On June 03 via manual from CZ — Scanned from DE
Effective URL: https://support.checkpoint.com/results/sk/sk182336?mkt_tok=NzUwLURRSC01MjgAAAGTX8pAEwA9sDvhxX_Zw2BHMpLvY9eJLtIWUIiHN6_GXbuhQdsr...
Submission: On June 03 via manual from CZ — Scanned from DE
Form analysis 1 forms found in the DOM
<form></form>Text Content
Choose your language...
Japanese
English
Products
Products
Quantum
Secure the Network
Quantum Maestro
Quantum Security Gateway
Quantum Spark
Quantum Scalable Chassis
Quantum Edge
Quantum IoT Protect
Quantum VPN
Quantum Smart-1
Quantum Smart-1 Cloud
Quantum Cyber Security Platform
CloudGuard
Secure the Cloud
CloudGuard Network
CloudGuard Private Cloud
CloudGuard Public Cloud
CloudGuard CNAPP
CloudGuard Posture Management
CloudGuard Workload
CloudGuard AppSec
CloudGuard Intelligence
CloudGuard Spectral
Harmony
Secure the Workspace
Harmony Endpoint
Harmony Connect (SASE)
Harmony Browse
Harmony Email & Collaboration
Harmony Mobile
Infinity
Security Operations & AI
Infinity MDR/MPR
Infinity XDR/XPR
Infinity Events
Infinity Playblocks
Solution
Solution
Cloud Security
Cloud Migration Security
Compliance in the Cloud
Cloud Threat Hunting
Developer Security
Network Security
Hybrid Data Center
SD-WAN Security
Zero Trust Security
IoT Security
Users & Access Security
Secure Access Service Edge (SASE)
Endpoint Security
Mobile Security
Anti-Ransomware
Anti-Phishing
Industry
Retail
Financial Services
Federal Government
State and Local Government
Healthcare
Industrial Control Systems ICS & SCADA
Telco / Service Provider
Education
Cloud Providers
AWS Cloud
Azure Cloud
Google Cloud
AI-Powered Prevention
ThreatCloud AI
Security Operations
Zero-Day Protection
Business Size
Large Enterprise
Small & Medium Business
Consumer & Small Busines
Support & Services
Support & Services
Support
Create/View Service Request
Contact Support
Check Point Pro
Support Programs
Life Cycle Policy
License Agreement & Warranty
RMA Policy
Infinity Global Services
IGS Overview
IGS Portal
Assess
Cyber Security Risk Assessment
Security Controls Gap Analysis
Penetration Testing
Threat Intelligence
Master
Mind
Certifications & Accreditations
CISO Training
Security Awareness
Cyber Park
Manage
MXDR with Managed SIEM
Managed Firewalls
EDR with Agent Management
Managed CNAPP
Managed CSPM
Transform
Security Deployment & Optimization
Advanced Technical Account Management
Lifecycle Management Services
Respond
Incident Response
Managed Detection and Response
Digital Forensics
Partners
Partners
Channel Partners
Become a Partner
MSSP Partner Program
Global Systems Integratorsr
SMB Partners
Find a Partner
Technology Partners
Featured Technology Partners
AWS Cloud
Azure Cloud
Partner Portal
Product Catalog
Renewal Tool
Partner Dashboard
Campaign Central
Campaign Marketplace
Resources
Resources
Resources
Content Resource Center
Product Demos
Product Trials
Customer Stories
Events
Webinars
Videos
Cyber Hub
Downloads & Documentation
Downloads & Documentation
Product Catalog
Renewal Pricing Tool
Cyber Security Insights
Check Point Blog
Check Point Research
Cyber Talk for Executives
CheckMates Community
Free Demo
Contact Us
Support Center
Blog
Sign In
Free Demo
Contact Us
Support Center
Blog
Sign In
Products
Products
Quantum
Secure the Network
Quantum Maestro
Quantum Security Gateway
Quantum Spark
Quantum Scalable Chassis
Quantum Edge
Quantum IoT Protect
Quantum VPN
Quantum Smart-1
Quantum Smart-1 Cloud
Quantum Cyber Security Platform
CloudGuard
Secure the Cloud
CloudGuard Network
CloudGuard Private Cloud
CloudGuard Public Cloud
CloudGuard CNAPP
CloudGuard Posture Management
CloudGuard Workload
CloudGuard AppSec
CloudGuard Intelligence
CloudGuard Spectral
Harmony
Secure the Workspace
Harmony Endpoint
Harmony Connect (SASE)
Harmony Browse
Harmony Email & Collaboration
Harmony Mobile
Infinity
Security Operations & AI
Infinity MDR/MPR
Infinity XDR/XPR
Infinity Events
Infinity Playblocks
Solution
Solution
Cloud Security
Cloud Migration Security
Compliance in the Cloud
Cloud Threat Hunting
Developer Security
Network Security
Hybrid Data Center
SD-WAN Security
Zero Trust Security
IoT Security
Users & Access Security
Secure Access Service Edge (SASE)
Endpoint Security
Mobile Security
Anti-Ransomware
Anti-Phishing
Industry
Retail
Financial Services
Federal Government
State and Local Government
Healthcare
Industrial Control Systems ICS & SCADA
Telco / Service Provider
Education
Cloud Providers
AWS Cloud
Azure Cloud
Google Cloud
AI-Powered Prevention
ThreatCloud AI
Security Operations
Zero-Day Protection
Business Size
Large Enterprise
Small & Medium Business
Consumer & Small Busines
Support & Services
Support & Services
Support
Create/View Service Request
Contact Support
Check Point Pro
Support Programs
Life Cycle Policy
License Agreement & Warranty
RMA Policy
Infinity Global Services
IGS Overview
IGS Portal
Assess
Cyber Security Risk Assessment
Security Controls Gap Analysis
Penetration Testing
Threat Intelligence
Master
Mind
Certifications & Accreditations
CISO Training
Security Awareness
Cyber Park
Manage
MXDR with Managed SIEM
Managed Firewalls
EDR with Agent Management
Managed CNAPP
Managed CSPM
Transform
Security Deployment & Optimization
Advanced Technical Account Management
Lifecycle Management Services
Respond
Incident Response
Managed Detection and Response
Digital Forensics
Partners
Partners
Channel Partners
Become a Partner
MSSP Partner Program
Global Systems Integratorsr
SMB Partners
Find a Partner
Technology Partners
Featured Technology Partners
AWS Cloud
Azure Cloud
Partner Portal
Product Catalog
Renewal Tool
Partner Dashboard
Campaign Central
Campaign Marketplace
Resources
Resources
Resources
Content Resource Center
Product Demos
Product Trials
Customer Stories
Events
Webinars
Videos
Cyber Hub
Downloads & Documentation
Downloads & Documentation
Product Catalog
Renewal Pricing Tool
Cyber Security Insights
Check Point Blog
Check Point Research
Cyber Talk for Executives
CheckMates Community
Choose your language...
Japanese
English
1. Support Center
2. /
3. Search Results
4. /
5. Secureknowledge Details
My Favorites
Solution ID: sk182336
--------------------------------------------------------------------------------
Technical Level:
Basic
Email
Print
PREVENTATIVE HOTFIX FOR CVE-2024-24919 - QUANTUM GATEWAY INFORMATION DISCLOSURE
Please read this important update from Check Point.
Security Alert:
High
ProductCloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum
Security Gateways, Quantum Spark Appliances
VersionR77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x,
R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10,
R81.10.x, R81.20
Last Modified2024-06-02
SOLUTION
Following our security update on May 27, 2024, Check Point's dedicated task
force continues investigating attempts to gain unauthorized access to VPN
products used by our customers. On May 28, 2024 we discovered a vulnerability in
Security Gateways with IPsec VPN in Remote Access VPN community and the Mobile
Access software blade (CVE-2024-24919). Exploiting this vulnerability can result
in accessing sensitive information on the Security Gateway.
This, in certain scenarios, can potentially lead the attacker to move laterally
and gain domain admin privileges.
If you need any additional assistance, contact Check Point Support or your local
Check Point representative.
Table of Contents
* Install Jumbo Hotfix Accumulator to fix CVE-2024-24919
* Security Gateway Hotfix to prevent exploit of CVE-2024-24919
* Important extra measures
* Additional Frequently Asked Questions
* Article Revision History
INSTALL JUMBO HOTFIX ACCUMULATOR TO FIX CVE-2024-24919
This problem was fixed. The fix is included in these Jumbo Hotfix Accumulators:
Version Take # R81.20 Jumbo Hotfix Accumulator Coming soon R81.10 Jumbo Hotfix
Accumulator Latest Take 150 R81 Jumbo Hotfix Accumulator Coming soon
If you wish not to install the Jumbo Hotfix Accumulator, the following hotfix is
available:
SECURITY GATEWAY HOTFIX TO PREVENT EXPLOIT OF CVE-2024-24919
Perform this step on ANY Security Gateway and Cluster that has EITHER of the
following setups:
* The IPSec VPN Software Blade is enabled, but ONLY when included in the Remote
Access VPN community.
* The Mobile Access Software Software Blade is enabled.
For online Security Gateways and Cluster Members, the Hotfix is available for
you in CPUSE. To obtain the Hotfix:
1. With a web browser, connect to the Gaia Portal on the Security Gateway and
each Cluster Member.
2. Install the hotfix package:
CPUSE View Instructions
Default
1. Go to Upgrades (CPUSE) > Status and Actions.
2. In the top right corner, click Check For Updates.
3. In the Hotfixes section, right-click the hotfix package "Hotfix for
CVE-2024-24919" and click Install Update.
New Experience
1. Go to Software Updates > Available Updates.
2. In the top right corner, click Check for updates.
3. In the Hotfix Updates section, in the "Hotfix for CVE-2024-24919" row,
click Install.
The process should take 5 to 10 minutes to complete and the confirmation
window appears.
3. Reboot the Security Gateway / Cluster Member.
PROCEDURE FOR CUSTOMERS USING CCCD - AN ADVANCED VPN FEATURE IN R81.10 / R81.20
In R81.10, a new feature was introduced to improve VPN performance: CCCD.
This feature is disabled by default, and is used by a very small number of
Security Gateways globally.
Customers who use CCCD must disable this functionality for the Hotfix to be
effective.
Follow these steps to check the current CCCD state and disable it:
1. Log in to the command line (Expert mode) on the Security Gateway and each
Cluster Member.
2. Run the command: vpn cccd status
The expected output is: vpn: 'cccd' is disabled.
If the output differs, permanently disable the CCCD process by running the
vpn cccd disable command.
Note: This change survives a Security Gateway reboot.
PROCEDURE TO IDENTIFY VULNERABLE SECURITY GATEWAYS
Use this procedure to run the script that scans all the Security Gateways and
Cluster Members configured in your Security Management Server or Domain
Management Server. The script shows a list of Security Gateways / Clusters that
have IPSec VPN, Remote Access VPN, or Mobile Access blade enabled. The
recommended action is to install the Security Gateway Hotfix. The script does
not check if the Hotfix is installed.
Click to Show / Hide this Section
Important Note: To run a script from SmartConsole, the permission profile of a
Management administrator
must have these permissions on the Gateways page in the Scripts section:
1. Run Repository Script
2. Manage Repository Scripts
Procedure:
1. Download the archive check-for-CVE-2024-24919-v2.zip to your computer.
2. Extract the check-for-CVE-2024-24919.sh script file from the archive to a
local directory.
3. Connect with SmartConsole to your Security Management Server (on a
Multi-Domain Server, connect to any Domain Management Server).
4. From the left navigation panel, go to Gateways & Servers view.
5. Click the Security Management Server object (and not a Security Gateway).
6. From the the top toolbar, click Scripts > Scripts Repository.
The Script Repository window opens.
7. Add the downloaded script to the repository:
1. From the top toolbar, click New.
2. In the Name field, paste: Check for CVE-2024-24919
3. Optional: In the Comment field, paste: Check my gateways for
CVE-2024-24919 (sk182336)
4. Click Load from file > select the script file
(check-for-CVE-2024-24919.sh).
5. Wait for the script content to appear.
6. Click OK.
8. Run the script:
1. In the Script Repository window, select the newly added script.
2. From the top toolbar, click Run.
3. The Run 'Check for CVE-2024-24919' On '<Name of Management Server>'
window opens.
Note for Multi-Domain Management: By default, the script scans all
Domain Management Servers (Domains) on the current Multi-Domain Server
(MDS), both Active and Standby. In case some Domain Management Servers
do not exist on the current Multi-Domain Server, make sure to run the
script on additional Multi-Domain Servers as well.
The ability to scan multiple Domains, regardless to which Domain the
administrator is currently connected, leverages the strong Run-Script
permissions of an administrator that can access all Domains. It is meant
to simplify the scanning all Domains on the Multi-Domain Server. To
restrict the script to scan only a specific Domain, enter the Domain
Name in the Arguments field.
4. Click Run.
5. Close the Script Repository window.
6. Wait a few seconds for the script to complete - see the SmartConsole
bottom left corner.
9. Get the script results:
1. In the SmartConsole bottom-left corner, click the Task Monitoring pane >
in the completed script task Run Repository Script, click Details.
2. The Run Repository Script window opens.
If the result is long, then in the Results section, click the Show
results link.
Example result:
> ALERT: Number of vulnerable Remote Access gateway(s) identified: 1
> Recommendation: Install Hotfix to mitigate CVE-2024-24919 according to
> sk182336.
> - Perimiter-Gateway
10. Install the recommended hotfix on the vulnerable Security Gateways and
Cluster Members:
* On online Security Gateways / Cluster Members, the hotfix appears in Gaia
Portal and Gaia Clish.
* For offline Security Gateways / Cluster Members, refer to the summary
table with manual downloads.
The Security Gateway Hotfix is also available for manual download from this
table:
Enter the string to filter this table:
Hotfix on top Download link Quantum Security Gateway R81.20 Jumbo Hotfix
Accumulator Take 54 (TAR) R81.20 Jumbo Hotfix Accumulator Take 53 (TAR) R81.20
Jumbo Hotfix Accumulator Take 41 (TAR) R81.20 Jumbo Hotfix Accumulator Take 26
(TAR) R81.10 Jumbo Hotfix Accumulator Take 141 (TAR) R81.10 Jumbo Hotfix
Accumulator Take 139 (TAR) R81.10 Jumbo Hotfix Accumulator Take 130 (TAR) R81.10
Jumbo Hotfix Accumulator Take 110 (TAR) R81 Jumbo Hotfix Accumulator Take 92
(TAR) R80.40 Jumbo Hotfix Accumulator Take 211 (TGZ) R80.40 Jumbo Hotfix
Accumulator Take 206 (TGZ) R80.40 Jumbo Hotfix Accumulator Take 198 (TGZ) R80.40
Jumbo Hotfix Accumulator Take 197 (TGZ) R80.30 Kernel 2.6 Jumbo Hotfix
Accumulator Take 255 (TGZ) R80.30 Kernel 3.10 Jumbo Hotfix Accumulator Take 255
(TGZ) R80.20 Jumbo Hotfix Accumulator Take 230 (TGZ) R80.10 Jumbo Hotfix
Accumulator Take 298 (TGZ) Quantum Maestro and Quantum Scalable Chassis R80.30SP
Jumbo Hotfix Accumulator Take 97 (TGZ) R80.20SP Jumbo Hotfix Accumulator Take
336 (TGZ) Quantum Spark Appliances See sk182357: Preventative Hotfix for
CVE-2024-24919 - Quantum Spark Gateways
For manual hotfix installation instructions on Quantum Security Gateways, see:
sk168597 - How to install a Hotfix.
AUTOMATIC INTERIM PREVENTATIVE MEASURE DEPLOYED THROUGH AUTOUPDATER UTILITY
Customers subscribed to Check Point's Auto Update process are gradually
receiving an update (as of June 2, 2024), which helps protect them from various
attempts to exploit the CVE. This is an interim preventative measure until the
Hotfix is fully installed on customers’ Security Gateways. It is important to
emphasize that installing the Hotfix is the best way to stay protected from this
vulnerability.
IMPORTANT EXTRA MEASURES
Follow this link to see video tutorials for some of the below procedures.
Click each item to see the content or click here to see the Entire Section
1. Change the password of the LDAP Account Unit
If a Security Gateway / Cluster is configured to use an LDAP Account Unit, we
recommend changing the password of the LDAP account.
Instructions:
1. Change Security Gateway's account in the Active Directory. To do so, refer
to this Microsoft article.
2. In SmartConsole, open the Object Explorer (press the CTRL+E keys) >
Users/Identities > LDAP Account Units
3. Right-click the LDAP Account Unit and click Edit.
4. The LDAP Account Unit Properties window opens. In the Servers tab, click
Edit:
5. The LDAP Server Properties window opens:
6. Change the password and click OK.
7. Install the Access Control policy.
2. Reset password of local accounts connecting to Remote Access VPN with
password-only authentication
1. In SmartConsole, open the Object Explorer (press the CTRL+E keys) > VPN
Communities > Remote Access.
2. In Participant User Group pane, select the relevant User group.
3. In the User Group properties, edit the relevant User.
4. In the User properties window, go to the Authentication page and for Check
Point Password click Set new password.
5. Click OK.
6. Repeat this procedure for EVERY User with the 'Check Point Password'
authentication in ALL User Groups in ALL Remote Access VPN Communities.
3. Prevent Local Accounts from connecting to VPN with Password-Only
Authentication
We recommend not to use local accounts that authenticate the Remote Access VPN
users with password-only authentication. This section provides mitigation steps
to discover and prevent such accounts from logging into the VPN.
Important Note: To run a script from SmartConsole, the permission profile of a
Management administrator
must have these permissions on the Gateways page in the Scripts section:
1. Run Repository Script
2. Manage Repository Scripts
Procedure:
1. Download the archive
check-for-local-users-with-password-only-authentication-v5.zip to your
computer.
2. Extract the check-for-local-users-with-password-only-authentication.sh
script file from the archive to a local directory.
3. Connect with SmartConsole to your Security Management Server (on a
Multi-Domain Server, connect to any Domain Management Server).
4. From the left navigation panel, go to Gateways & Servers view.
5. Click the Security Management Server object.
6. From the the top toolbar, click Scripts > Scripts Repository.
The Script Repository window opens.
7. Add the downloaded script to the repository:
1. From the top toolbar, click New.
2. In the Name field, paste: Check for local users with password-only
authentication
3. Optional: In the Comment field, paste: sk182336
4. Click Load from file > select the script file
check-for-local-users-with-password-only-authentication.sh.
5. Wait for the script content to appear.
6. Click OK.
8. Run the script:
1. In the Script Repository window, select the newly added script.
2. From the top toolbar, click Run.
3. The Run 'Check for local users with password-only authentication' On
'<Name of Management Server>' window opens.
Note for Multi-Domain Management: By default, the script scans all
Domain Management Servers (Domains) on the current Multi-Domain Server
(MDS), both Active and Standby. In case some Domain Management Servers
do not exist on the current Multi-Domain Server, make sure to run the
script on additional Multi-Domain Servers as well.
The ability to scan multiple Domains, regardless to which Domain the
administrator is currently connected, leverages the strong Run-Script
permissions of an administrator that can access all Domains. It is meant
to simplify the scanning all Domains on the Multi-Domain Server. To
restrict the script to scan only a specific Domain, enter the Domain
Name in the Arguments field.
4. Click Run.
5. Close the Script Repository window.
6. Wait a few seconds for the script to complete - see the SmartConsole
bottom left corner.
9. Get the script result:
1. In the SmartConsole bottom-left corner, click the Task Monitoring pane >
in the completed script task Run Repository Script, click Details.
2. The Run Repository Script window opens.
3. In the Results section, click the Show results link.
10. Analyze the script result.
* If the result is "No Local accounts with Password Authentication method
found. No further action required" - then no further action is required.
* If the result is "ALERT: the script identified Local Accounts with
Password Authentication method.
Install Security Gateway Hotfix to prevent from such accounts to log-in,
delete accounts or strengthen their authentication method" - then proceed
to the next step to install the recommended Security Gateway Hotfix.
11. Install the Hotfix to block Local Accounts with Password-Only
Authentication
Do this step if the above script result shows the "ALERT: the script
identified Local Accounts with Password Authentication method" message.
The update is delivered as a Security Gateway Hotfix to enhance the overall
security of the product by blocking local accounts that use "Check Point
Password" as the only authentication method.
After the hotfix installation, local user accounts configured with the
password-only authentication method will no longer be able to authenticate
to Remote Access VPN.
Available Hotfixes
On online Security Gateways and Cluster Members, the Hotfix is available
for you in CPUSE. To obtain the Hotfix, go to Gaia Portal on the Security
Gateway and each Cluster Member > Software Updates > Available Updates >
Hotfix Updates > click Install > reboot.
This Hotfix is also available for manual download from this table:
Hotfix on top Download link R81.20 with Jumbo Hotfix Accumulator Take 53
(TAR) R81.10 with Jumbo Hotfix Accumulator Take 139 (TAR) R81 with Jumbo
Hotfix Accumulator Take 92 Contact Check Point Support R80.40 with Jumbo
Hotfix Accumulator Take 211 Contact Check Point Support
For the hotfix manual installation instructions, see: sk168597 - How to
install a Hotfix.
Usage
This Hotfix adds a new command blockSFAInternalUsers on the Security
Gateway that allows to block or grant access to internal users with
password-only authentication.
Default value: "-b" (block internal users from connecting with
password-only authentication).
Syntax: blockSFAInternalUsers [flags]
* -s - show current status
* -a - allow internal users to connect with password-only authentication
* -b - block internal users from connecting with password-only
authentication
Note: In a Cluster / Maestro / Chassis environment, you must run the
command on each member separately.
Verification Test
After installing this Hotfix, users who attempt to connect using the
password-only authentication method will receive this security log:
If you need a Hotfix for another Jumbo Hotfix Accumulator Take, contact
Check Point Support.
4. Renew the server certificates for the Inbound HTTPS Inspection on the
Security Gateway
Motivation: Certificates used for Inbound HTTPS Inspection are stored on the
Security Gateway, including the private key. See the R81.20 Threat Prevention
Administration Guide for more information.
You should renew any certificate stored on the Security Gateway. "Renew" in this
context means: generating a new certificate with a new key pair and revoking the
old certificate, making sure this old certificate is listed in the CRL.
1. Get the new server certificate in the P12 format.
2. Import the new server certificate:
1. Connect with SmartConsole to the Security Management Server / Domain
Management Server.
2. From the left navigation panel, click Manage & Settings.
3. In the top panel, click Blades.
4. In the HTTPS Inspection section, click Configure in SmartDashboard.
5. In the top left panel, click Server Certificates.
6. Select the new server certificate file.
7. From the top toolbar, click Add > enter the required information > select
the server certificate file > click OK.
8. Save the changes - in the top left corner, click the diskette icon (or
press CTRL + S).
9. Close SmartDashboard.
3. In the HTTPS Inspection policy (used for the inbound inspection), replace
the old inbound certificate with the new certificate (the one you just
imported).
4. Install the Access Control policy.
5. Delete the old certificate that is potentially compromised:
1. From the left navigation panel, click Manage & Settings.
2. In the top panel, click Blades.
3. In the HTTPS Inspection section, click Configure in SmartDashboard.
4. In the top left panel, click Server Certificates.
5. Select and delete each old certificate file.
6. Save the changes - in the top left corner, click the diskette icon (or
press CTRL + S).
7. Close SmartDashboard.
6. Install the Access Control policy again.
5. Renew the certificate for the Outbound HTTPS Inspection on the Security
Gateway
Motivation: Outbound inspection of TLS traffic is based on a certificate stored
on the Security Gateway. The certificate and related keying material might have
been compromised in the context of CVE-2024-24919. Client computers sending
traffic through the Security Gateway trust this certificate (it is imported into
their operating system's Trusted Certificate Store).
Note: All Security Gateways configured for outbound HTTPS Inspection managed by
the same Security Management Server / Domain Management Server share the same
certificate and key pair.
If you use an outbound certificate generated on the Management Server (in the
R81.20 Threat Prevention Administration Guide, see the "Creating an Outbound CA
Certificate" section), follow the steps below to renew this certificate.
1. Connect with SmartConsole to the Security Management Server / Domain
Management Server.
2. From the left navigation panel, click Manage & Settings.
3. In the top panel, click Blades.
4. In the HTTPS Inspection section, click Configure in SmartDashboard.
5. In the top left panel, click Gateways.
6. At the bottom, in the CA Certificate section, click Renew Certificate.
7. Configure the new settings > click OK.
8. Close SmartDashboard.
9. Install the Access Control policy.
10. Distribute this new certificate to all client computers using the Security
Gateway for their outbound traffic. This step is required, as the
certificate generated on the Management Server is a "self-signed"
certificate (as you can see below, "Issued to" and "issued by" fields are
identical).
11. Configure client computers to remove the old HTTPS outbound certificate
from their Trusted Certificate Store.
12. If you use an Enterprise CA for generating an outbound HTTPS certificate
(in the R81.20 Threat Prevention Administration Guide, see the "Importing
an Outbound CA Certificate" section), follow the steps indicated in the
Administration Guide to renew the outbound CA certificate with a new key
pair.
After you install the new Outbound CA certificate, revoke the old
certificate.
6. Reset Gaia OS passwords for all local users
1. Reset the passwords for Gaia OS local users
You can reset a local user password in Gaia Portal or in Gaia Clish.
To reset the password for a Gaia OS local user in Gaia Portal:
1. In a web browser, connect to Gaia Portal on the Security Gateway.
2. In the User Management section, click the Users page.
3. For each user:
1. Click the user.
2. From the top toolbar, click Reset Password.
3. Enter the new password.
4. Click OK.
To reset the password for a Gaia OS local user in Gaia Clish:
1. Connect to the command line on the Security Gateway.
2. If your default shell is the Expert mode, then go to Gaia Clish: clish
3. For each user:
1. Run: set user <username> password
2. Enter the new password.
4. Save the changes: save config
2. Reset the Expert mode password for Gaia OS
You can reset the Expert mode password in Gaia Portal or in Gaia Clish.
To reset the Expert mode password in Gaia Portal:
1. In a web browser, connect to Gaia Portal on the Security Gateway.
2. In the System Management section, click the System Passwords page.
3. In the Change Expert Password section, enter the new password.
4. Click Apply.
To reset the Expert mode password in Gaia Clish:
1. Connect to the command line on the Security Gateway.
2. If your default shell is the Expert mode, then go to Gaia Clish: clish
3. Run: set expert-password
4. Enter the new password.
5. Save the changes: save config
7. Regenerate the SSH local user certificate on the Security Gateway in the
following case:
1. Based on the above script results, your Security Gateway is vulnerable.
2. On the Security Gateway, the SSH is configured to allow all source IP
addresses, including the Internet (not recommended).
3. Authentication of SSH users is based on certificates.
4. You did not delete the user's private key from the Security Gateway (not
recommended).
* You can find the user's private keys in the /home/<username>/.ssh file.
Use the command in the Expert mode: find /home/*/.ssh -print
In the command output, you should see a file called "id_rsa" (this is the
private SSH key).
For each of these keys, use the "ssh-keygen" command (in the Expert mode)
to regenerate the SSH key for the relevant user.
8. Renew the certificate for the SSH Inspection
If you configured transparent inspected SSH severs (imported the private key and
the public key of an SSH server), the follow these steps for each SSH sever:
1. Get the new RSA keys from the SSH server - private key and public key.
2. Copy the new two key files to the Security Gateway.
3. Connect to the command line on the Security Gateway.
4. Log in to the Expert mode.
5. Delete the current private key for the SSH server: rm -i
</PATH/TO/CURRENT/PRIVATE/RSA/KEY>
6. Delete the current public key for the SSH server: rm -i
</PATH/TO/CURRENT/PUBLIC/RSA/KEY>.pub
7. Import the new keys: cpssh_config -s -a <SERVER_NAME> -e
</PATH/TO/NEW/RSA/PUBLIC/KEY>.pub -i </PATH/TO/NEW/PRIVATE/RSA/KEY>
8. Install the Access Control policy - either with the command "fw fetch local"
or in SmartConsole.
If you configured non-transparent inspected SSH severs (imported only the public
key of an SSH server), the follow these steps for each SSH sever:
1. Get the new public RSA key (*.pub) from the SSH server.
2. Copy the new public key to the Security Gateway.
3. Connect to the command line on the Security Gateway.
4. Log in to the Expert mode.
5. Delete the current public key for the SSH server: rm -i
</PATH/TO/CURRENT/RSA/KEY>.pub
6. Import the new public key: cpssh_config -s -g <SERVER_NAME> -e
</PATH/TO/NEW/RSA/KEY>.pub
7. Install the Access Control policy - either with the command "fw fetch local"
or in SmartConsole.
ADDITIONAL FREQUENTLY ASKED QUESTIONS
Click each item to see the content or click here to see the Entire Section
1. What are the suspect IP addresses used by threat actors to exploit the
vulnerability?
> Enter the string to filter this table:
>
>
>
> 5.188.218.0/23 23.227.196.88 23.227.203.36 31.134.0.0/20 37.9.40.0/21
> 37.19.205.180 38.180.54.104 38.180.54.168 45.135.1.0/24 45.135.2.0/23
> 45.155.166.0/23 46.59.10.72 46.183.221.194 46.183.221.197 61.92.2.219
> 64.176.196.84 68.183.56.130 82.180.133.120 85.239.42.0/23 87.206.110.89
> 88.218.44.0/24 91.132.198.0/24 91.218.122.0/23 91.245.236.0/24 103.61.139.226
> 104.207.149.95 109.134.69.241 112.163.100.151 132.147.86.201 146.70.205.62
> 146.70.205.188 146.185.207.0/24 149.88.22.67 154.47.23.111 156.146.56.136
> 158.62.16.45 162.158.162.254 167.61.244.201 167.99.112.236 178.236.234.123
> 183.96.10.14 185.213.20.20 185.217.0.242 192.71.26.106 193.233.128.0/22
> 193.233.216.0/21 195.14.123.132 198.44.211.76 203.160.68.12 217.145.225.0/24
> 221.154.174.74
2. When were exploitation attempts for this vulnerability first seen?
> Our retrospective telemetry analysis shows exploitation attempts starting on
> 30 April 2024.
>
> Further investigation (as of 31 May 2024) revealed that the first exploitation
> attempts started on 07 April 2024.
>
> We are actively investigating further.
3. What is the current CVSS score of this vulnerability?
> As of 30 May 2024, the CVSS score is 8.6 (High), with the vector string -
> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
>
> Parameter Value Explanation Attack Vector (AV) Network This vulnerability is
> exploited only through the Network. Attack Complexity (AC) Low An attacker can
> expect repeatable success when attacking the vulnerable component. There are
> no special conditions or circumstances required for exploit success, assuming
> the component (VPN) is enabled on the Security Gateway. Privilege Required
> (PR) None The attacker is unauthorized. User Interaction (UI) None The
> vulnerability can be exploited without any user interaction. Scope (S) Changed
> An exploited vulnerability can affect Security Gateway components besides the
> VPN. Confidentiality (C) High All resources within the Security Gateway are
> potentially accessible to the attacker and are therefore considered
> compromised. Integrity (I) None There is no loss of Security Gateway
> integrity. Availability (A) None There is no impact on the Security Gateway
> availability.
4. What is the recommendation for a Gateway running an End-of-Support version
(R80.30 and lower)?
> If you run a version that is already End-of-Support, we recommend one of these
> options:
>
> * Upgrade to a supported version and install the provided Hotfix.
>
> * Disable the Remote Access and Mobile Access functionalities:
>
> 1. Remove the Mobile Access functionality:
>
> 1. In SmartConsole, go to Gateways & Servers
> 2. Double-click the Security Gateway object.
> 3. On the General Properties page, > clear the Mobile Access checkbox.
> 4. Click OK.
>
> 2. Remove the Security Gateway from the Remote Access VPN Communities:
>
> 1. In SmartConsole, in the top right corner, click the Objects panel.
> 2. Click VPN Communities.
> 3. Double-click the relevant Remote Access VPN community.
> 4. On the Participating Gateways page, remove the applicable Security
> Gateway from the list.
> 5. Click OK.
>
> 3. Install the Access Control policy.
5. Is there an IPS Signature that can prevent attempts to exploit
CVE-2024-24919?
> Yes.
>
> The IPS Signature "Check Point VPN Information Disclosure (CVE-2024-24919)"
> detects and blocks attempts to exploit this CVE.
> This signature is automatically available in the "Optimized" IPS profile.
>
> To prevent any attempt to exploit this vulnerability, you must protect the
> vulnerable Remote Access VPN gateway behind a Security Gateway with both IPS
> and HTTPS Inspection enabled.
6. If I suspect unauthorized access attempts, what should I do?
> To investigate for suspicious activity, we recommend taking these steps:
>
> 1. Analyze all Remote Access connections of local accounts with password-only
> authentication.
>
> Monitor your connection logs from the past 3 months:
>
> 1. In SmartConsole, go to the Logs & Monitor > Logs tab.
>
> 2. In the top Search field, enter this query:
>
> blade:"Mobile Access" AND action:"Log In" AND auth_method:Password
>
> 2. For each connection, verify that the user, time, source IP address, client
> name, OS name, and application are familiar, based on the configured users
> and business needs.
>
> 3. In case one of the connections or users are not validated, we recommend
> invoking an incident response playbook, or to contact Check Point Support
> or your local Check Point representative.
7. I have installed the hotfix "Hardening Remote Access for VPN users". Are the
Security Gateways still vulnerable to CVE-2024-24919?
> As an initial step, deploy the hotfix for CVE-2024-24919 to address the
> vulnerability.
>
> Implement one of the additional protection measures if you have Remote Access
> VPN users who authenticate to the Security Gateway using only a password (see
> "Important extra measures"):
>
> * Reset Gaia OS passwords for all local users.
>
> * Prevent Local Accounts from connecting to VPN with Password-Only
> Authentication.
ARTICLE REVISION HISTORY
Show / Hide revision history
Date Description 02 June 2024
1. Added the "Automatic interim preventative measure deployed through
AutoUpdater utility section
2. Added the "Install Jumbo Hotfix Accumulator to fix CVE-2024-24919" section
and R81.10 Jumbo Hotfix Accumulator Take 150
01 June 2024
1. Added caution for customers using CCCD in R81.10 / R81.20
2. Added the "Article Revision History" section
ARTICLE PROPERTIES
Access LevelGeneral
SeverityHigh
Date Created2024-05-26
Last Modified2024-06-02
Was this page helpful?YesNo
HAVEN'T FOUND WHAT YOU'RE LOOKING FOR?
OUR CUSTOMER SUPPORT TEAM IS ONLY A CLICK AWAY AND READY TO HELP YOU 24 HOURS A
DAY.
Open a Service Request
--------------------------------------------------------------------------------
Follow Us
YOU DESERVE THE BEST SECURITY™
©1994-2024 Check Point Software Technologies Ltd. All rights reserved.
Copyright | Privacy Policy | User Agreement
IMPORTANT SECURITY UPDATE
Stay protected against CVE-2024-24919
VPN information disclosure
See Details