Published:2024/07/23  Last Updated:2024/10/15

JVNVU#98330908
Multiple products from Check Point Software Technologies vulnerable to information disclosure

Overview

Multiple products from Check Point Software Technologies contain an information disclosure vulnerability.

Products Affected

  • CloudGuard Network
  • Quantum Maestro
  • Quantum Scalable Chassis
  • Quantum Security Gateways
  • Quantum Spark Appliances
Note that, those products are affected only when configured as the following.

CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, Quantum Spark Appliances
  • IPSec VPN Software Blade is enabled, and the Security Gateway is added to a Remote Access VPN community
or
  • Mobile Access Software Blade is enabled
When using Quantum Spark Appliance with local management
  • Remote Access feature is enabled

For more details, refer to the information provided by the developer.

Description

Multiple products from Check Point Software Technologies contain an information disclosure vulnerability (CWE-200, CVE-2024-24919).

Impact

A remote attacker may obtain sensitive information stored in the product without authentication.

Solution

Apply the Hotfix
Apply the appropriate hotfix according to the information provided by the developer.

Apply the workarounds
The developer recommends applying workarounds in addition to applying the hotfix.

For more details, refer to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Yamaha Corporation Vulnerable 2024/10/15 Yamaha Corporation website
Vendor Link
Check Point Software Technologies sk182336 | Preventative Hotfix for CVE-2024-24919 - Quantum Gateway Information Disclosure
sk182357 | Preventative Hotfix for CVE-2024-24919 - Quantum Spark Gateways
CPAI-2024-0353 | Check Point VPN Information Disclosure (CVE-2024-24919)

References

  1. JPCERT/CC CyberNewsFlash 2024-05-30
    Regarding Check Point Software Technologies VPN Information Disclosure vulnerability (CVE-2024-24919) (Text in Japanese)

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Base Score: 8.6
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Credit

JPCERT/CC coordinated with Check Point Software Technologies to publish this advisory in order to notify users of this vulnerability.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia

Update History

2024/10/15
Yamaha Corporation update status
2024/10/15
Yamaha Corporation update status