DEV Community

Sean Lee
Sean Lee

Posted on

LetsDefend: SOC287 - Arbitrary File Read on Checkpoint Security Gateway [CVE-2024-24919]

πŸ›‘οΈ Security Incident Report: CVE-2024-24919 Exploitation Attempt
Date: June 6, 2024
Time: 03:12 PM
Event ID: 263
Rule Triggered: SOC287 - Arbitrary File Read on Checkpoint Security Gateway [CVE-2024-24919]
Analyst Level: Security Analyst
Incident Severity: High
Escalation Status: Escalated to Level 2

βΈ»

πŸ” Summary

At approximately 03:12 PM on June 6, 2024, an alert was triggered on CP-Spark-Gateway-01 indicating potential exploitation of CVE-2024-24919, a zero-day arbitrary file read vulnerability in Check Point Security Gateways.

⚠️ Threat Details
β€’ Source IP Address: 203.160.68.12
β€’ Reputation: Malicious β€” flagged by multiple threat intelligence vendors including VirusTotal.
β€’ Associated with known exploit activity and high-risk behavior patterns.
β€’ Destination IP Address: 172.16.20.146 (Internal asset - CP-Spark-Gateway-01)
β€’ HTTP Method: POST
β€’ Requested URL: http://172.16.20.146/clients/MyCRL
β€’ Payload: aCSHELL/../../../../../../../../../../etc/passwd
β€’ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0
β€’ HTTP Response Code: 200 OK
β€’ Indicates successful execution of the payload and retrieval of the /etc/passwd file β€” confirming unauthorized file read.

πŸ›‘οΈ Security Response Actions
β€’ βœ… Endpoint Contained:
β€’ The affected host CP-Spark-Gateway-01 has been isolated from the network to prevent further compromise and lateral movement.
β€’ βœ… Indicators of Compromise (IoCs) Logged and Shared:
β€’ Source IP: 203.160.68.12
β€’ URL Pattern: /clients/MyCRL with traversal strings
β€’ Payload Signature: Path traversal targeting /etc/passwd
β€’ User-Agent Pattern: Consistent with other exploitation attempts of CVE-2024-24919
β€’ βœ… Incident Escalation:
β€’ Case has been escalated to Level 2 SOC Analysts for deep-dive analysis, log correlation, and potential threat actor attribution.

βΈ»

πŸ”„ Next Steps
1. Level 2 Review β€” In-depth analysis of gateway logs and correlated traffic.
2. Patch Validation β€” Verify if vendor patches for CVE-2024-24919 have been applied; expedite where necessary.
3. Forensic Snapshot β€” Take system image of CP-Spark-Gateway-01 before remediation.
4. Network Sweep β€” Search for similar payloads or source IP activity across the environment.
5. Update Firewall/IPS Signatures β€” Block listed source and tighten payload pattern rules.

Top comments (0)