- 메타, 저성과자 중심 전체 인력 5% 감축 계획 발표
- This Sony Bravia is my pick for best TV for the money - and it's on sale for up to 38% off
- Australian Government Agencies Failing to Keep Up With Cyber Security Change
- A CSO's perspective: 8 cyber predictions for 2025
- VERT Threat Alert: January 2025 Patch Tuesday Analysis
CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the Wild
Fortinet patched a zero day authentication bypass vulnerability in FortiOS and FortiProxy that has been actively exploited in the wild as a zero-day since November 2024.
Background
On January 14, Fortinet released a security advisory (FG-IR-24-535) addressing a critical severity vulnerability impacting FortiOS and FortiProxy.
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2024-55591 | FortiOS and FortiProxy Authentication Bypass Vulnerability | 9.6 |
Analysis
CVE-2024-55591 is an authentication bypass vulnerability in FortiOS and FortiProxy. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a Node.js websocket module. Successful exploitation may grant an attacker super-admin privileges on a vulnerable device. According to the Fortinet advisory, this vulnerability has been exploited in the wild.
Zero Day Campaign May Have Been Active Since November
Researchers at Arctic Wolf published a blog post on January 10 detailing a campaign first observed in mid-November 2024 of suspicious activity related to the exploitation of a zero-day vulnerability, which is presumed to be CVE-2024-55591. Arctic Wolf Labs details four distinct phases of the campaign that were observed against Fortinet FortiGate firewall devices; scanning, reconnaissance, SSL VPN configuration and lateral movement. For more information on the observations of this campaign, we recommend reviewing its blog post.
At the time this blog was published, the Fortinet advisory did not credit Arctic Wolf with the discovery of CVE-2024-55591. However, the indicators of compromise (IoCs) listed in the Fortinet advisory overlap with the report from Arctic Wolf.
Historical exploitation of Fortinet FortiOS and FortiProxy
Fortinet FortiOS and FortiProxy have been targeted by threat actors previously, including targeting by advanced persistent threat (APT) actors. We’ve written about several noteworthy Fortinet flaws since 2019, including flaws impacting SSL VPNs from Fortinet and other vendors:
Proof of concept
At the time this blog post was published, there were no public proof-of-concept exploits for CVE-2024-55591.
Solution
Fortinet published its security advisory (FG-IR-24-535) on January 14 to address this vulnerability. The advisory also contains IoCs and workaround steps that can be utilized if immediate patching is not feasible. Fortinet has released the following patches for FortiOS and FortiProxy.
| Affected Product | Affected Version | Fixed Version |
|---|---|---|
| FortiOS 7.0 | 7.0.0 through 7.0.16 | Upgrade to 7.0.17 or above |
| FortiProxy 7.0 | 7.0.0 through 7.0.19 | Upgrade to 7.0.20 or above |
| FortiProxy 7.2 | 7.2.0 through 7.2.12 | Upgrade to 7.2.13 or above |
Fortinet also released several additional security advisories on January 14 for vulnerabilities affecting FortiOS and FortiProxy:
| Affected Product(s) | Vulnerability Description | Security Advisory | CVSSv3/Severity |
|---|---|---|---|
| FortiOS, FortiProxy, FortiMail, FortiSwitch, FortiVoiceEnterprise, FortiNDR, FortiWLC, FortiADC, FortiAuthenticator, FortiRecorder, FortiDDoS-F, FortiDDoS, FortiSOAR and FortiTester | An externally controlled reference to a resource may allow an unauthenticated attacker to poison web caches between an affected device and an attacker using crafted HTTP requests | FG-IR-23-494 | 4.1 / Medium |
| FortiAnalyzer, FortiAnalyzer Cloud, FortiAuthenticator, FortiManager, FortiManager Cloud, FortiOS, FortiProxy, FortiSASE | An unauthenticated attacker with access to the Security Fabric protocol may be able to brute force an affected product to bypass authentication. | FG-IR-24-221 | 8.0 / High |
| FortiOS | An authenticated, remote attacker may be able to prevent access to the GUI using specially crafted requests and causing a denial of service (DoS) condition. | FG-IR-24-250 | 4.8 / Medium |
| FortiOS | An authenticated attacker may be able to cause a DoS condition due to a NULL pointer dereference vulnerability in the SSLVPN web portal. | FG-IR-23-473 | 6.2 / Medium |
| FortiManager, FortiOS, FortiProxy, FortiRecorder, FortiSASE, FortiVoice and FortiWeb | A path traversal vulnerability may be exploited by a remote attacker with access to the security fabric interface, allowing the attacker to access and modify arbitrary files. | FG-IR-24-259 | 7.1 / High |
| FortiOS | An unauthenticated attacker may be able to exploit an out-of-bounds write vulnerability to cause a DoS condition. | FG-IR-24-373 | 3.5 / Low |
| FortiOS | An unauthenticated attacker may be able to exploit an out-of-bounds read vulnerability to cause a DoS condition. | FG-IR-24-266 | 7.5 / High |
| FortiOS | An authenticated attacker with low privileges may be able to cause a DoS condition due to two NULL pointer dereference vulnerabilities. | FG-IR-23-293 | 6.4 / Medium |
| FortiOS | An unauthenticated attacker may be able to exploit a resource allocation vulnerability to cause a DoS condition using multiple large file uploads. | FG-IR-24-219 | 7.1 / High |
| FortiOS | An authenticated attacker may be able to exploit an integer overflow vulnerability to cause a DoS condition. | FG-IR-24-267 | 3.2 / Low |
| FortiOS | An authenticated attacker may be able to exploit an improper access control vulnerability. | FG-IR-23-407 | 4.7 / Medium |
| FortiOS, FortiProxy and FortiSASE | An unauthenticated attacker may be able to exploit a http response splitting vulnerability in FortiOS, FortiProxy and FortiSASE | FG-IR-24-282 | 6.4 / Medium |
| FortiOS | An unauthenticated attacker may be able to exploit a man-in-the-middle vulnerability to intercept sensitive information. | FG-IR-24-326 | 3.5 / Low |
Identifying affected systems
A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2024-55591 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.
Additionally, customers can utilize Tenable Attack Surface Management to identify public facing Fortinet assets:
Get more information
Join Tenable’s Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
