CVE-2024-24914
📋 TL;DR
Authenticated users on Check Point Gaia systems can inject code or commands through global variables via HTTP requests. This vulnerability affects Check Point security gateways and management servers running vulnerable Gaia versions. Attackers with valid credentials can potentially execute arbitrary code.
💻 Affected Systems
- Check Point Security Gateway
- Check Point Security Management Server
📦 What is this software?
Gaia Os by Checkpoint
Gaia Os by Checkpoint
Gaia Os by Checkpoint
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise leading to data exfiltration, lateral movement within the network, and persistent backdoor installation.
Likely Case
Privilege escalation leading to unauthorized administrative access and configuration changes.
If Mitigated
Limited impact due to network segmentation and strict access controls limiting authenticated user access.
🎯 Exploit Status
Requires authenticated access but exploitation appears straightforward based on the CWE-914 (Improper Control of Dynamically-Identified Variables) classification.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: R81.20.20, R81.10.30, R81.10.20, R81.10.10, R81.10, R81, R80.40.40, R80.40.30, R80.40.20, R80.40.10, R80.40, R80.30.40, R80.30.30, R80.30.20, R80.30.10, R80.30, R80.20.40, R80.20.30, R80.20.20, R80.20.10, R80.20
Vendor Advisory: https://support.checkpoint.com/results/sk/sk182743
Restart Required: Yes
Instructions:
1. Log into Check Point support center. 2. Download the relevant hotfix for your Gaia version. 3. Install the hotfix via Gaia web interface or CLI. 4. Reboot the system as required.
🔧 Temporary Workarounds
Restrict Gaia Web Interface Access
allLimit access to Gaia web interface to trusted IP addresses only
Configure firewall rules to restrict access to Gaia management ports (TCP 443, TCP 80)
Disable Unnecessary Gaia Services
linuxDisable Gaia web interface if not required for operations
Expert mode: cpstop httpsd
Expert mode: cpstop httpd
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Gaia management interfaces
- Enforce strong authentication policies and monitor for suspicious authenticated user activity
🔍 How to Verify
Check if Vulnerable:
Check Gaia version via CLI: 'show version all' and compare against affected versions listCheck Version:
show version allVerify Fix Applied:
Verify hotfix installation: 'cpinfo -y all' and check for the specific hotfix ID📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests to Gaia web interface with parameter manipulation
- Multiple failed authentication attempts followed by successful login
Network Indicators:
- Unusual outbound connections from Gaia management interfaces
- HTTP requests with suspicious parameter values
SIEM Query:
source="gaia_web_logs" AND (url="*global*" OR params="*variable*")