CVE-2024-24915
📋 TL;DR
CVE-2024-24915 is a memory disclosure vulnerability in Check Point SmartConsole where credentials remain in memory after use. Administrators can dump process memory to extract these credentials. This affects systems running vulnerable versions of Check Point security management software.
💻 Affected Systems
- Check Point SmartConsole
📦 What is this software?
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
Smartconsole by Checkpoint
⚠️ Risk & Real-World Impact
Worst Case
Administrator credentials are extracted from memory, leading to complete compromise of the security management system and potentially the entire protected network infrastructure.
Likely Case
Privileged credentials are exposed, enabling lateral movement within the security management environment and potential bypass of security controls.
If Mitigated
With proper access controls and monitoring, credential exposure is limited to authorized administrators, reducing but not eliminating the risk of misuse.
🎯 Exploit Status
Requires administrator access to the SmartConsole host and knowledge of memory analysis tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Point Security Gateway R81.20.40, R81.10.40, R81.40, R80.40.40
Vendor Advisory: https://support.checkpoint.com/results/sk/sk183545
Restart Required: Yes
Instructions:
1. Download the appropriate hotfix from Check Point Support Center. 2. Install the hotfix on the Security Management Server. 3. Restart the SmartConsole service or reboot the server.
🔧 Temporary Workarounds
Restrict Administrator Access
allLimit SmartConsole access to only trusted administrators who require it for their duties.
Monitor Memory Dumping Activities
allImplement monitoring for process memory dumping tools and activities on SmartConsole hosts.
🧯 If You Can't Patch
- Implement strict access controls to limit who can access SmartConsole hosts.
- Deploy endpoint detection and response (EDR) solutions to monitor for memory dumping activities.
🔍 How to Verify
Check if Vulnerable:
Check the installed version of Check Point Security Management against the affected versions list.Check Version:
fw verVerify Fix Applied:
Verify that the hotfix version is installed and the SmartConsole service has been restarted.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation events for memory dumping tools (procdump, gdb, etc.)
- Multiple failed authentication attempts followed by successful SmartConsole access
Network Indicators:
- Unusual outbound connections from SmartConsole hosts to unknown destinations
SIEM Query:
Process creation where (Image contains 'procdump' OR Image contains 'gdb') AND ParentImage contains 'SmartConsole'