A critical vulnerability has been identified in Check Point Security Gateways that have Remote Access VPN enabled, also known as the “Mobile Access” blade. This vulnerability also affects scenarios where Check Point Mobile Secure Workspace with Capsule is utilized.
The vulnerability enables a threat actor to list and extract password hashes for all local accounts, including the one used to connect to Active Directory. While the full impact is still unclear, it is confirmed that password hashes of legacy local users with password-only authentication can be extracted, including those of service accounts used to connect to Active Directory. Weak passwords may be compromised, resulting in potential misuse and lateral movement within the network.
Obrela has observed multiple instances of this vulnerability being actively exploited. This vulnerability is especially critical because it can be easily exploited remotely without requiring any user interaction or privileges.
Affected Versions
The vulnerability is not associated with any particular software versions. Remediations and fixes will need to be provided as a hotfix released after the announcement of the vulnerability.
Gateways that use only Site-to-Site IPSEC VPN are unaffected.
Recommendations
- Immediately update the affected systems to the patched version.
- Remove any local users on the gateway.
- Rotate passwords / accounts for LDAP-connections from gateway to Active Directory.
- Update Check Point IPS signature to detect exploitation attempts.
References