Description
A critical vulnerability has been identified in the authentication mechanism of Fortinet’s FortiOS and FortiProxy software.
Affected Product(s)
- FortiProxy 7.0.0 through 7.0.19, 7.2.0 through 7.2.12 and FortiOS 7.0.0 through 7.0.16
Technical Details
The vulnerability identified as CVE-2024-55591 is a critical flaw that affects Fortinet’s FortiOS network operating system and FortiProxy software. The vulnerability has a CVSS v3 score of 9.8 and is categorized as critical, while the CVSS v2 score is 10.0, making it highly severe. The issue lies in the authentication mechanism of the affected systems, allowing an attacker to bypass authentication using an alternate path or channel. Specifically, the vulnerability is found in the Node.js websocket module within FortiOS version 7.0.0 through 7.0.16 and FortiProxy from version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12. This module, when leveraged by a crafted request, enables remote attackers to gain super-admin privileges on the affected system.
The flaw is fundamentally an abuse of improper access control where the attackers send malicious requests that manipulate the websocket’s operations, ultimately leading to a successful bypass of authentication and elevation of privileges. The Fortinet products are widely used for unified threat management, incorporating a suite of security functions, including VPN, firewall, intrusion prevention, and more. The affected versions of these products are utilized in critical network infrastructures, hence the criticality of the vulnerability. FortiAnalyzer and FortiAP, although not directly impacted by the same WebSocket vulnerability, also exhibit various vulnerabilities in different versions which could potentially be leveraged in association with a compromised FortiGate system running FortiOS.
To exploit this vulnerability, an attacker first needs to identify an accessible Fortinet device running one of the affected versions. Tools and scripts for exploiting such vulnerabilities are increasingly shared in public and dark web forums, making it feasible for even moderately skilled threat actors to execute attacks. Active exploitation has been observed, indicating that threat actors are leveraging this flaw to gain illicit entry into systems and networks.
This vulnerability is highly dangerous because it grants the attacker super-admin privileges, giving them unrestricted access to configure, control, and view sensitive data within the Fortinet-managed devices. References provided include security bulletins and advisories from Fortinet’s PSIRT (Product Security Incident Response Team) emphasizing the significance of upgrading to patched system versions. These advisories outline that failure to address the vulnerability promptly could lead to severe breaches and compromise of organizational data and operations. Active defensive recommendations include applying the latest patches, as issued by Fortinet, which effectively mitigate the vulnerability by addressing the authentication flaw in the Node.js websocket module.
Weakness
The vulnerability is tied to an authentication bypass using an alternate path or channel, categorized under CWE-288. This weakness emerges when the system allows alternate methods to bypass normal authentication procedures without proper verification, leading to unauthorized access and control.
Impact Assessment
If exploited, this vulnerability could allow an attacker to gain super-admin privileges on the affected system, leading to unauthorized access to sensitive data, configuration manipulation, the execution of arbitrary commands, and widespread control over the network and devices managed by the compromised Fortinet systems.
Active Exploitation
We have observed activity from several adversary groups actively exploiting this vulnerability in the wild. Multiple groups have been noted targeting similar vulnerabilities historically, and recent intelligence confirms ongoing attacks particularly due to the availability of easily accessible exploit tools and scripts targeting CVE-2024-55591.
Ransomware Association
The vulnerability has been linked to ransomware attacks, specifically advanced variants aiming to gain initial access through the exploited Fortinet systems. Post-privilege escalation, these ransomware actors deploy their payloads to encrypt data and demand ransom from affected organizations.
Mitigation and Resolution
Fortinet has released patches that address this vulnerability. Users are strongly recommended to update to the following versions immediately to secure their systems: – FortiOS update to version 7.0.17 or later – FortiProxy update to version 7.2.14 or later Ensuring all FortiOS and FortiProxy deployed systems are patched is crucial to mitigating this severe security risk.
Recommendations
- Apply the latest patch provided by Fortinet to address the vulnerability immediately.
- Ensure all systems running affected versions of FortiOS and FortiProxy are updated.
- Regularly review and monitor system logs for any unusual activity indicating potential exploitation.
- Restrict network access to critical devices and management interfaces.
- Implement multi-factor authentication on all administrative interfaces to further secure access.
- Conduct a thorough security review and assessment to ensure there are no already compromised elements in your network.
- Consider subscribing to Fortinet’s threat intelligence updates to stay informed about new vulnerabilities and patches.
References
- FortiGuard Security Advisories 1
- FortiGuard Security Advisories 2
- Cert-HK Security Bulletin
- Cert Advisories
- Zero Day Database
- CVE MITRE Details
- NVD Database