THE THREAT
On January 14th, Fortinet disclosed an actively exploited critical zero-day vulnerability impacting multiple versions of FortiOS and FortiProxy. The vulnerability, tracked as CVE-2024-55591 (CVSS: 9.6) is an Authentication Bypass Using an Alternate Path or Channel vulnerability. Exploitation would allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module. Fortinet states that threat actors have been observed performing various operations, including creating admin and local user accounts with random usernames, adding local users to SSL VPN user groups, modifying configurations such as firewall policies, and using the SSL VPN to establish tunnels into the internal network. Fortinet's disclosure confirms that CVE-2024-55591 has been exploited in the wild.
As exploitation has been confirmed, it is critical that organizations using FortiOS and FortiProxy apply the relevant security patches or alternative mitigations immediately.
What we’re doing about it
-
eSentire MDR for Log has detections in place to identify related activity
-
eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable devices
-
Known malicious IP addresses have been added to eSentire’s Global Block List
-
Indicator based threat hunting for related activity is ongoing
-
The eSentire Tactical Threat Response team is developing additional detection content
-
The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities
What you should do about it
-
After performing a business impact review, apply the relevant security patches released by Fortinet
-
If patching is not immediately possible, Fortinet has provided temporary mitigations:
-
Disable HTTP/HTTPS administrative interface
-
Limit IP addresses that can reach the administrative interface via local-in policies; see the Fortinet advisory for detailed instructions
Additional information
Public reports indicate that exploitation activity had been observed as early as mid-November 2024. Given the timeframe between the first observation and public acknowledgement of the vulnerability as a zero-day, organizations must immediately apply patches or implement the temporary mitigation actions as soon as possible. In addition, defenders should also perform retroactive threat hunts using the Indicators of Compromise (IoCs) provided by Fortiguard Labs to identify successful exploitation, or post-exploitation activity. Lateral movement has reportedly been observed as well, highlighting the importance of defenders taking action immediately.
CVE-2024-55591: Impacted Product List
FortiOS:
-
FortiOS 7.0.0 through 7.0.16
FortiProxy:
-
FortiProxy 7.2.0 through 7.2.12
-
FortiProxy 7.0.0 through 7.0.19
Fortinet vulnerabilities have a history of being exploited by threat actors. On October 9th 2024, a Remote Code Execution vulnerability in Fortinet FortiOS, tracked as CVE-2024-23113 (CVSS: 9.8), was added to CISA’s Known Exploited Vulnerability (KEV) catalog. Past exploitation may indicate that threat actors are already familiar with the platform and have an interest in targeting these devices.
References:
[1] https://www.fortiguard.com/psirt/FG-IR-24-535
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-55591
