CVE-2024-55591: Fortinet Authentication Bypass Zero-Day vulnerability
This authentication bypass vulnerability enables unauthenticated remote attackers to achieve super-admin privileges by exploiting a Node.js WebSocket module. Fortinet confirmed active exploitation.
In November 2024, Arctic Wolf researchers detected suspicious activity targeting Fortinet FortiGate firewalls, later linked to CVE-2024-55591. Their analysis revealed a four-phase attack campaign:
1. Scanning
2. Reconnaissance
3. SSL VPN Configuration
4. Lateral Movements
Arctic Wolf’s findings align with indicators of compromise (IoCs) shared by Fortinet.
Historically
Fortinet has a history of being targeted by advanced persistent threat (APT) actors. Previous vulnerabilities include:
CVE-2024-21762: Out-of-Bound Write in sslvpnd (February 2024)
CVE-2023-27997: Heap-Based Buffer Overflow (June 2023)
CVE-2022-42475: Zero-Day in SSL VPNs (December 2022)
CVE-2022-40684: Authentication Bypass (October 2022)
Proof of Concept
As of now, there are no public proof-of-concept exploits for CVE-2024-55591.
Mitigation
Fortinet's advisory (FG-IR-24-535) provides the following mitigation steps:
Patches
FortiOS 7.0: Upgrade to 7.0.17+
FortiProxy 7.0: Upgrade to 7.0.20+
FortiProxy 7.2: Upgrade to 7.2.13+
Workarounds
Fortinet advises applying IoCs and workaround configurations if immediate patching isn’t possible.
Other Vulnerabilities
On January 14, Fortinet addressed additional vulnerabilities:
For a full list, refer to Fortinet’s January 14 advisories.
Affected Systems
Tenable customers can utilize the following tools to detect vulnerabilities:
1. Tenable Plugins: Updated plugins for CVE-2024-55591 can be found on Tenable’s CVE page.
2. Tenable Attack Surface Management: This tool identifies public-facing Fortinet assets.
For more information, consult Fortinet’s official advisory.
No comments:
Post a Comment