CVE-2024-24911
📋 TL;DR
This vulnerability causes the cpca process on Check Point Security Management/Domain Management Servers to crash unexpectedly in rare scenarios, creating core dump files. When cpca is down, VPN and SIC connectivity issues may occur if the CRL is not cached on Security Gateways. This affects organizations using Check Point's security management infrastructure.
💻 Affected Systems
- Check Point Security Management Server
- Check Point Domain Management Server
📦 What is this software?
Gaia Os by Checkpoint
Gaia Os by Checkpoint
Gaia Os by Checkpoint
Gaia Os by Checkpoint
⚠️ Risk & Real-World Impact
Worst Case
Extended VPN and SIC connectivity outages affecting remote access and site-to-site communications, potentially disrupting business operations until process restart.
Likely Case
Temporary VPN connectivity issues for users and intermittent SIC communication problems between management and gateways.
If Mitigated
Minimal impact with proper CRL caching on gateways and monitoring to restart cpca process quickly.
🎯 Exploit Status
This is a reliability/availability issue rather than a traditional security exploit. The crash occurs in rare scenarios and cannot be directly triggered by attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: R81.20.20, R81.10.20, R81.20, R80.40.20, R80.30.20, R80.20.20
Vendor Advisory: https://support.checkpoint.com/results/sk/sk183101
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download appropriate hotfix from Check Point support. 3. Install hotfix via cpstop/cpstart. 4. Verify cpca process is running normally.
🔧 Temporary Workarounds
Monitor and restart cpca process
linuxImplement monitoring to detect cpca process crashes and automatically restart it
cpstop; cpstart
ps aux | grep cpca
Ensure CRL caching on gateways
allConfigure Security Gateways to cache CRLs to maintain connectivity during cpca downtime
fw fetch crl
cplic print -x
🧯 If You Can't Patch
- Implement aggressive monitoring of cpca process with automated restart scripts
- Ensure all Security Gateways have current CRLs cached and configure longer CRL validity periods
🔍 How to Verify
Check if Vulnerable:
Check version with 'cpinfo -y all' and compare against affected versions. Monitor for cpca process crashes in /var/log/messages.Check Version:
cpinfo -y all | grep -i versionVerify Fix Applied:
Verify installed version matches patched versions. Check that cpca process remains stable and no core dumps are generated.📡 Detection & Monitoring
Log Indicators:
- cpca process core dumps in /var/log/messages
- VPN connection failures in VPN logs
- SIC communication errors
Network Indicators:
- Increased VPN connection timeouts
- SIC status changes on gateways
SIEM Query:
source="checkpoint" AND (process="cpca" AND event="core dump") OR (event="vpn failure" AND reason="crl")