Security rearchers discover old critical flaw still active in Check Point Security Gateways

An old but still active critical security vulnerability has been discovered in Check Point Security Gateways that enables unauthenticated attackers to achieve remote code execution (RCE). The discovery occurred during internal testing of another vulnerability (CVE-2024-24919) on Check Point Gaia R81.10 T335.

The main vulnerabilities identified include:

• CVE-2021-40438 (CVSS score 9): A Server-Side Request Forgery (SSRF) vulnerability in Apache's mod_proxy module that allows attackers to redirect server requests to unintended destinations. While Check Point addressed this by updating Apache in early 2022, many systems remain vulnerable due to uninstalled updates or use of end-of-life versions.
• CVE-2024-24919 (CVSS score 8.6): An Arbitrary File Read vulnerability that was being tested when the researchers discovered the outdated Apache HTTP Server installation.

The researchers found that by exploiting CVE-2021-40438, they could interact with UNIX sockets in the /tmp directory, which are responsible for gateway configuration. Through extensive testing and analysis, they identified two critical attack vectors:

1. Configuration Dump: By interacting with the /tmp/xdumps socket, attackers could extract the entire gateway configuration, including sensitive information such as user accounts and password hashes.
2. Remote Code Execution: Through the /tmp/xsets socket, attackers could modify the gateway configuration, ultimately allowing them to change the admin password and take complete control of the gateway.

The attack methodology involved carefully crafted payloads to bypass socket processing restrictions and exploit inter-process communication weaknesses. The researchers developed a technique to force the service to process valid messages despite interference from HTTP headers and body content introduced by the SSRF vulnerability.

Number of affected systems is not not disclosed

Check Point has released software updates to address these vulnerabilities. Organizations are strongly advised to implement these updates promptly to protect their systems. Systems running end-of-life versions or those with uninstalled updates remain at risk of exploitation.