Check Point Software Technologies has identified a vulnerability that impacted “a small number of customers” on VPN remote access networks and subsequently issued a fix.
According to a May 28 Check Point blog, the vulnerability potentially allows an attacker to read certain information on internet-connected gateways with remote access VPN or mobile access enabled.
“The attempts we’ve seen so far, as previously alerted on May 27, focus on remote access scenarios with old local accounts with unrecommended password-only authentication,” Check Point wrote. “Within a few hours of this development, Check Point released an easy to implement solution that prevents attempts to exploit this vulnerability. To stay secure, customers should follow these instructions to deploy the provided solution.”
Check Point said it is working with affected customers to remediate the situation, adding that its network is not affected by the vulnerability.
"We have recently witnessed compromised VPN solutions, including various cybersecurity vendors. Check Point said. “In light of these events, we have been monitoring attempts to gain unauthorized access to VPNs of Check Point's customers. By May 24, 2024 we identified a small number of login attempts using old VPN local-accounts relying on unrecommended password-only authentication method.”
Bleeping Computer reported that remote access is integrated into all Check Point network firewalls. It can be configured as a client-to-site VPN for access to corporate networks via VPN clients or set up as an SSL VPN Portal for web-based access.
Attackers Targeting Security Gateways
Check Point reported that attackers are targeting security gateways with old local accounts using insecure password-only authentication, which should be used with certificate authentication to prevent breaches.
“We have assembled special teams of Incident Response, Research, Technical Services and Products professionals which thoroughly explored those and any other potential related attempts,” Check Point said. “Relying on these customers notifications and Check Point’s analysis, the teams found within 24 hours a few potential customers which were subject to similar attempts.
Check Point asserted that password-only authentication is considered an unfavorable method to ensure the highest levels of security. The company recommends not to rely on this when logging-in to network infrastructure.
Check Point’s Recommendations to Customers
Check Point encouraged customers to enhance their VPN security posture by:
- Check if you have local accounts, if they were used and by whom.
- If you don’t use them, it’s best to disable them.
- If you have local accounts which you want to use and are password-only authenticated, add another layer of authentication (like certificates) to increase your environments IT security.
- Deploy the solution on security gateways if you are a Check Point customer. This will automatically prevent unauthorized access to your VPNs by local accounts with password-only authentication method.
Check Point also released a Security Gateway hotfix. This maneuver will block all local accounts from authenticating with a password. Once installed, local accounts with weak password-only authentication will be prevented from logging into the Remote Access VPN.
