Check Point’s 'Best Security' Slogan Meets Reality: CVE-2024-24919
The technical details and real-world exploitation of CVE-2024-24919 highlight the critical nature of this vulnerability and the importance of prompt remediation to protect against potential data breaches and network compromises.
📌CVE-2024-24919 is an information disclosure vulnerability that allows an unauthenticated remote attacker to read the contents of arbitrary files on the affected appliance.
📌It is categorized as an «Exposure of Sensitive Information to an Unauthorized Actor» vulnerability.
📌The vulnerability affects systems with the Remote Access VPN or Mobile Access software blades enabled.
📌The vulnerability can be exploited by sending a crafted request to the /clients/MyCRL endpoint, which is designed to serve static files from the filesystem.
📌By including path traversal sequences like ././etc/passwd in the request body, an attacker can read sensitive files like /etc/shadow to obtain password hashes.
📌The vulnerability allows reading any file on the system, not just specific files mentioned by the vendor.
📌Security researchers have published a public PoC exploit for CVE-2024-24919, providing technical details on how to exploit the vulnerability.
📌The PoC demonstrates the ability to read arbitrary files, including extracting password hashes and other sensitive information.
📌Check Point has observed active exploitation of this vulnerability in the wild since early April 2024.
📌Threat actors have been leveraging the vulnerability to extract password hashes, move laterally within networks, and compromise Active Directory servers by extracting the ntds.dit file.
Understanding the Decompiled Code
📌The vulnerable code performs file I/O operations, indicated by references to functions like _fopen and _fread.
📌The code compares the requested URL with a list of hardcoded strings from a string table to determine if the file can be served.
📌The code uses the strstr function to check if the requested URL contains any of the strings from the table. This function searches for a substring rather than performing a strict comparison.
📌This allows for potential abuse by including a valid substring within a path traversal sequence, such as http://icsweb.cab/././etc/passwd.
📌The initial attempts to exploit the path traversal by including sequences like ././etc/passwd in the URL failed because the OS correctly identified the path as invalid.
📌A second string table was found, containing entries that suggested directory paths, such as CSHELL/.
📌By crafting a request that included the directory string CSHELL/ followed by a path traversal sequence, the researchers were able to bypass the checks.
POST /clients/MyCRL HTTP/1.1
Host: <redacted>
Content-Length: 39
aCSHELL/./././././././etc/shadow
📌This request returned the contents of the /etc/shadow file, confirming an arbitrary file read vulnerability.
📌The ability to read the /etc/shadow file indicates that the attacker has superuser privileges, allowing them to read any file on the filesystem.
📌This is more severe than the vendor’s advisory, which suggested limited information exposure.