Vulnerability Management

Check Point VPN Vulnerability Hit Via Remote Access

Credit: Adobe Stock Images

Check Point Software Technologies has identified a vulnerability that impacted “a small number of customers” on VPN remote access networks and subsequently issued a fix.

According to a May 28 Check Point blog, the vulnerability potentially allows an attacker to read certain information on internet-connected gateways with remote access VPN or mobile access enabled.

“The attempts we’ve seen so far, as previously alerted on May 27, focus on remote access scenarios with old local accounts with unrecommended password-only authentication,” Check Point wrote. “Within a few hours of this development, Check Point released an easy to implement solution that prevents attempts to exploit this vulnerability. To stay secure, customers should follow these instructions to deploy the provided solution.”

Check Point said it is working with affected customers to remediate the situation, adding that its network is not affected by the vulnerability.

"We have recently witnessed compromised VPN solutions, including various cybersecurity vendors. Check Point said. “In light of these events, we have been monitoring attempts to gain unauthorized access to VPNs of Check Point's customers. By May 24, 2024 we identified a small number of login attempts using old VPN local-accounts relying on unrecommended password-only authentication method.”

Bleeping Computer reported that remote access is integrated into all Check Point network firewalls. It can be configured as a client-to-site VPN for access to corporate networks via VPN clients or set up as an SSL VPN Portal for web-based access.

Attackers Targeting Security Gateways

Check Point reported that attackers are targeting security gateways with old local accounts using insecure password-only authentication, which should be used with certificate authentication to prevent breaches.

“We have assembled special teams of Incident Response, Research, Technical Services and Products professionals which thoroughly explored those and any other potential related attempts,” Check Point said. “Relying on these customers notifications and Check Point’s analysis, the teams found within 24 hours a few potential customers which were subject to similar attempts.

Check Point asserted that password-only authentication is considered an unfavorable method to ensure the highest levels of security. The company recommends not to rely on this when logging-in to network infrastructure.

Check Point’s Recommendations to Customers

Check Point encouraged customers to enhance their VPN security posture by:

  • Check if you have local accounts, if they were used and by whom.
  • If you don’t use them, it’s best to disable them.
  • If you have local accounts which you want to use and are password-only authenticated, add another layer of authentication (like certificates) to increase your environments IT security.
  • Deploy the solution on security gateways if you are a Check Point customer. This will automatically prevent unauthorized access to your VPNs by local accounts with password-only authentication method.

Check Point also released a Security Gateway hotfix. This maneuver will block all local accounts from authenticating with a password. Once installed, local accounts with weak password-only authentication will be prevented from logging into the Remote Access VPN.

Jim Masters

Jim Masters is Managing Editor of MSSP Alert, and holds a B.A. degree in Journalism from Northern Illinois University. His career has spanned governmental and investigative reporting for daily newspapers in the Northwest Indiana Region and 16 years in a global internal communications role for a Fortune 500 professional services company. Additionally, he is co-owner of the Lake County Corn Dogs minor league baseball franchise, located in Crown Point, Indiana. In his spare time, he enjoys writing and recording his own music, oil painting, biking, volleyball, golf and cheering on the Corn Dogs.