Threat Insight
Critical Authentication Bypass Vulnerability in FortiOS and FortiProxy
FortiNet has disclosed an Authentication Bypass Using an Alternate Path or Channel vulnerability affecting FortiOS and FortiProxy which may allow a remote, unauthenticated attacker to gain super-admin privileges via crafted requests to Node.js websocket module. This vulnerability is currently being exploited in the wild according to Fortinet.
Threat actors that has exploited this has been observed creating new admin accounts with a random generated username, then creating a local user account, also with a random generated username. Then creating a sslvpn user group or adding the local user to an already existing sslvpn user group, then using sslvpn to get a tunnel to the internal network. Changes to firewall settings has also been observed.
CVE
CVE-2024-55591
Affected Products
FortiOS 7.0.0 through 7.0.16
FortiProxy 7.0.0 through 7.0.19
FortiProxy 7.2.0 through 7.2.12
Exploitation
Currently exploited in the wild[1].
CISA has added CVE-2024-55591 to its Known Exploited Vulnerabilities Catalog[2].
Recommended Actions
Upgrade FortiOS 7.0 through 7.0.16 to 7.0.17 or above, upgrade FortiProxy 7.0.0 through 7.0.19 to 7.0.20 or above, lastly upgrade FortiProxy 7.2.0 through 7.2.12 to 7.2.13 or above.
There is also a workaround published by Fortinet[1]. If you need assistance configuring this workaround, please contact FortiNet customer support:
Disable HTTP/HTTPS administrative interface
OR
Limit IP addresses that can reach the administrative interface via local-in policies:
config firewall address
edit “my_allowed_addresses”
set subnet
end
Then create an Address Group:
config firewall addrgrp
edit “MGMT_IPs”
set member “my_allowed_addresses”
end
Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):
config firewall local-in-policy
edit 1
set intf port1
set srcaddr “MGMT_IPs”
set dstaddr “all”
set action accept
set service HTTPS HTTP
set schedule “always”
set status enable
next
edit 2
set intf “all”
set srcaddr “all”
set dstaddr “all”
set action deny
set service HTTPS HTTP
set schedule “always”
set status enable
end
If using non default ports, create appropriate service object for GUI administrative access:
config firewall service custom
edit GUI_HTTPS
set tcp-portrange 443
next
edit GUI_HTTP
set tcp-portrange 80
end
Use these objects instead of “HTTPS HTTP “in the local-in policy 1 and 2 below.
Please note that the trusthost feature achieves the same as the local-in policies above only if all GUI users are configured with it. Therefore, the local-in policies above are the preferred workaround.
Detection
The following log entries are possible IOC’s[1]:
Following login activity log with random scrip and dstip:
type=”event” subtype=”system” level=”information” vd=”root” logdesc=”Admin login successful” sn=”1733486785″ user=”admin” ui=”jsconsole” method=”jsconsole” srcip=1.1.1.1 dstip=1.1.1.1 action=”login” status=”success” reason=”none” profile=”super_admin” msg=”Administrator admin logged in successfully from jsconsole”
Following admin creation log with seemingly randomly generated user name and source IP:
type=”event” subtype=”system” level=”information” vd=”root” logdesc=”Object attribute configured” user=”admin” ui=”jsconsole(127.0.0.1)” action=”Add” cfgtid=1411317760 cfgpath=”system.admin” cfgobj=”vOcep” cfgattr=”password[*]accprofile[super_admin]vdom[root]” msg=”Add system.admin vOcep”
Observed Threat Actor IP addresses [1]:
45[.]55.158.47 [most used IP address]
87[.]249.138.47
155[.]133.4.175
37[.]19.196.65
149[.]22.94.37
The operations performed by the Threat Actor (TA) in the cases we observed were part or all of the below[1]:
- Creating an admin account on the device with random user name
- Creating a Local user account on the device with random user name
- Creating a user group or adding the above local user to an existing sslvpn user group
- Adding/changing other settings (firewall policy, firewall address, …)
- Logging in the sslvpn with the above added local users to get a tunnel to the internal network.
References
[1] https://fortiguard.fortinet.com/psirt/FG-IR-24-535
[2] https://www.cve.org/CVERecord?id=CVE-2024-55591