LetsDefend: SOC287 - Arbitrary File Read on Checkpoint Security Gateway [CVE-2024-24919]

🛡️ Security Incident Report: CVE-2024-24919 Exploitation Attempt
Date: June 6, 2024
Time: 03:12 PM
Event ID: 263
Rule Triggered: SOC287 - Arbitrary File Read on Checkpoint Security Gateway [CVE-2024-24919]
Analyst Level: Security Analyst
Incident Severity: High
Escalation Status: Escalated to Level 2

⸻

🔍 Summary

At approximately 03:12 PM on June 6, 2024, an alert was triggered on CP-Spark-Gateway-01 indicating potential exploitation of CVE-2024-24919, a zero-day arbitrary file read vulnerability in Check Point Security Gateways.

⚠️ Threat Details
• Source IP Address: 203.160.68.12
• Reputation: Malicious — flagged by multiple threat intelligence vendors including VirusTotal.
• Associated with known exploit activity and high-risk behavior patterns.
• Destination IP Address: 172.16.20.146 (Internal asset - CP-Spark-Gateway-01)
• HTTP Method: POST
• Requested URL: http://172.16.20.146/clients/MyCRL
• Payload: aCSHELL/../../../../../../../../../../etc/passwd
• User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0
• HTTP Response Code: 200 OK
• Indicates successful execution of the payload and retrieval of the /etc/passwd file — confirming unauthorized file read.

🛡️ Security Response Actions
• ✅ Endpoint Contained:
• The affected host CP-Spark-Gateway-01 has been isolated from the network to prevent further compromise and lateral movement.
• ✅ Indicators of Compromise (IoCs) Logged and Shared:
• Source IP: 203.160.68.12
• URL Pattern: /clients/MyCRL with traversal strings
• Payload Signature: Path traversal targeting /etc/passwd
• User-Agent Pattern: Consistent with other exploitation attempts of CVE-2024-24919
• ✅ Incident Escalation:
• Case has been escalated to Level 2 SOC Analysts for deep-dive analysis, log correlation, and potential threat actor attribution.

⸻

🔄 Next Steps
1. Level 2 Review — In-depth analysis of gateway logs and correlated traffic.
2. Patch Validation — Verify if vendor patches for CVE-2024-24919 have been applied; expedite where necessary.
3. Forensic Snapshot — Take system image of CP-Spark-Gateway-01 before remediation.
4. Network Sweep — Search for similar payloads or source IP activity across the environment.
5. Update Firewall/IPS Signatures — Block listed source and tighten payload pattern rules.