How to find Check Point devices


Latest Check Point Software vulnerabilities

On May 28, 2024, Check Point disclosed a serious vulnerability in Check Point Security Gateway Devices with certain remote access software blades (security modules) enabled. Per their guidance, devices are impacted if one of the following conditions are met:

  • The IPsec VPN Blade is enabled, but ONLY when included in the Remote Access VPN community.
  • The Mobile Access Software Blade is enabled.

The issue, identified as CVE-2024-24919, allows reading arbitrary files on the targeted appliance by unauthenticated remote attackers. This vulnerability could be leveraged to read sensitive files such as those containing password hashes, certificates, and ssh keys.

This vulnerability has a CVSS score of 8.6 out of 10, indicating that this is a high risk vulnerability. According to their disclosure and information provided by CISA this vulnerability is being actively exploited. A report from states that they have observed attacks at least as far back as April 30, 2024.

What is the impact? #

Upon successful exploitation of the vulnerability, unauthenticated remote attackers could access password hashes for local users. If the hashes are cracked the attacker may be able to log into these user accounts if secondary controls, such as MFA, are not enforced. This includes service accounts that may be used to access Active Directory or other services. Attackers could leverage this information to move across a target's network. 

Are updates or workarounds available? #

Check Point has released a software updates to address this vulnerability. They also provide guidance for other measures that should be taken after the vulnerability has been addressed. These can be found in their advisory.

How do I find potentially vulnerable Check Point devices with runZero? #

From the Asset Inventory, use the following query to locate assets that may be running the vulnerable operating system in your network:

hardware:"Check Point" AND (_service.last.http.body:"Check Point Mobile" OR _service.http.body:"Check Point Mobile" OR udp_port:500)

Written by Tom Sellers

Tom Sellers is a Principal Research Engineer at runZero. In his 25 years in IT and Security he has built, broken, and defended networks for companies in the finance, service provider, and security software industries. He has built and operated Internet scale scanning and honeypot projects. He is credited on many patents for network deception techonology. A strong believer in Open Source he has contributed to projects such as Nmap, Metasploit, and Recog.

More about Tom Sellers
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Related Articles

Rapid Response
How to find PKIX-SSH services on your network
A fork of OpenSSH called PKIX-SSH was impacted by the recently discovered regreSSHion vulnerability. Here's how to find impacted services on your...
Rapid Response
How to find Westermo devices on your network
Westermo has disclosed several vulnerabilities regarding their Lynx Industrial Ethernet switches. Here's how to find them on your network.
Rapid Response
How to find Kaspersky products with runZero
The US government has banned the sale of Kaspersky products and services. Here's how to find Kaspersky products in your network.
Rapid Response
How to find Microsoft Message Queuing (MSMQ) servers on your network
A new pre-auth use-after-free vulnerability in the Microsoft Message Queuing (MSMQ) service is rated critical. Find impacted systems now with runZero.

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved