Check Point patches VPN 0-day exploited to target enterprises

Check Point has patched a zero-day vulnerability that has been exploited in the wild in attempts to compromise enterprise networks, the security company announced Tuesday.

The vulnerability, tracked as CVE-2024-24919, enables an attacker to “read certain information” on Check Point Network Security gateways with either the remote access VPN or mobile access enabled.

The hotfixes for CVE-2024-24919 released Tuesday comes after Check Point reported Monday that it observed a “small number” of exploitation attempts against its customers starting May 24, targeting old VPN local accounts with password-only authentication.

The activity was observed following an overall increase in attacks targeting remote-access VPNs to gain entry into enterprise networks over the past few months, Check Point said.

In response to the exploitation attempts targeting Check Point customers, prior to the root cause being discovered, the company provided a temporary fix that blocked local accounts with password-only authentication from logging into the remote access VPN.

“Password-only authentication is considered an unfavourable method to ensure the highest levels of security, and we recommend not to rely on this when logging-in to network infrastructure.”

Customers were also advised to change the password of the Security Gateway’s account in the Active Directory.

CVE-2024-24919 affects the following Check Point products: CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways and Quantum Spark Appliances. Check Point’s advisory noted that installing the latest hotfixes for these products is “mandatory” to prevent exploitation of the flaw.

VPN attacks on the rise

Attacks targeting virtual private networks (VPNs) have increased significantly over the past few months, as noted by Check Point’s advisory, which mentions VPNs from several vendors being targeted for initial entry into enterprises.

Vulnerabilities in VPN products from vendors including Ivanti, Fortinet and Cisco have been leveraged in recent exploitation campaigns, including attacks by state-sponsored threat actors.

For example, following a surge of attacks by China-backed threat actors against Ivanti VPN zero-days in January, the Cybersecurity and Infrastructure Security Agency (CISA) issued a directive for federal agencies to disconnect Ivanti VPNs by Feb. 3.

Cisco Talos also warned of a worldwide increase in brute-force attacks against VPNs and other services in April, affecting Cisco, Check Point, Fortinet and SonicWall VPNs.

Meanwhile, statistics compiled by Top10VPN showed that reported VPN security vulnerabilities increased by 47% in 2023, and that the average severity of VPN vulnerabilities also increased by 40% over the last year.

In an SC Media Perspectives column, Zero Networks Vice President of Research Sagie Dulce noted that this increase in VPN attacks highlighted “the urgent need for a paradigm shift in network security.”

“Creating a better VPN requires more than just patching vulnerabilities or updating protocols. It demands a fundamental reimagining of how we approach network security in the digital age. This entails integrating advanced encryption algorithms, implementing stronger authentication mechanisms, and adopting a more proactive stance towards threat detection and mitigation,” Dulce wrote.